Frontend File Manager Plugin <= 23.6 – Author+ Arbitrary Post Deletion | CVE 2026-8380

Description

The plugin does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the plugin's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users.

Proof of Concept

The PoC will be displayed on June 18, 2026, to give users the time to update.

Affects Plugins

nmedia-user-file-uploader

No known fix

References

CVE

CVE-2026-8380

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CWE-73

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

Tiago Ferreira

Submitter

Tiago Ferreira

Verified

Yes

WPVDB ID

45fcbf74-45be-4cff-a81a-0fea903592a5

Timeline

Publicly Published

2026-06-04 (about 6 days ago)

Added

2026-05-28 (about 7 hours ago)

Last Updated

2026-05-28 (about 7 hours ago)

Other

Published

Title

Published

2025-02-28

Title

Simple Download Counter < 2.1 - Authenticated (Author+) Arbitrary File Read

Published

2025-03-19

Title

Order Export & Order Import for WooCommerce < 2.6.1 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function

Published

2025-07-08

Title

SureForms < 1.7.4 - Unauthenticated Arbitrary File Deletion

Published

2025-12-02

Title

Modula 2.13.1 - 2.13.2 - Author+ Arbitrary File Deletion

Published

2025-09-16

Title

WP Import – Ultimate CSV XML Importer for WordPress < 7.28 - Authenticated (Subscriber+) Arbitrary File Deletion