WordPress Plugin Vulnerabilities
Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal
Description
The plugin does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
FILE DELETION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chamseddine Bouzaiene
Submitter
Chamseddine Bouzaiene
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-16 (about 21 days ago)
Added
2026-06-16 (about 20 days ago)
Last Updated
2026-06-16 (about 20 days ago)