Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
Published: 2026-06-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Wed, 24 Jun 2026 01:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress
Vendors & Products Frontend File Manager Plugin
Frontend File Manager Plugin frontend File Manager Plugin
Wordpress
Wordpress wordpress

Tue, 23 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
Title Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename
References

Subscriptions

Frontend File Manager Plugin Frontend File Manager Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T12:36:40.104Z

Reserved: 2026-05-12T08:47:27.798Z

Link: CVE-2026-8378

cve-icon Vulnrichment

Updated: 2026-06-23T12:36:35.985Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses