Frontend File Manager Plugin <= 23.6 - Subscriber+ Arbitrary Download Access via IDOR

Description

During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the plugin does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored within the application.

As a result, an attacker can enumerate and access sensitive files stored by other users, including privileged accounts such as administrators. Since object identifiers appear to be predictable or sequential, this significantly increases the likelihood of successful exploitation. Because the vulnerability affects access control and allows unauthorized data disclosure, it represents a significant risk to the confidentiality and integrity of the system.