Frontend File Manager Plugin <= 23.6 – Unauthenticated Arbitrary File Download | CVE 2026-8379

Description

The plugin does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the plugin by iterating identifiers.

Proof of Concept

1. As any user, upload a file through the [ffmwp] shortcode and note the file_id returned in the upload response (also visible in the file's download link).
2. From a completely unauthenticated session, request:

   curl -i "https://example.com/?do=wpfm_download&file_id=<ID>&nm_file_by_email=1"

   The file's bytes are returned with HTTP 200.

3. Iterating sequential file_id values returns files uploaded by any user. The `nm_file_by_email` parameter does not need to carry any token — its mere presence (an `isset()` check) skips the nonce verification entirely.