Unrated

Authenticated Arbitrary File Deletion in Frontend File Manager Plugin for WordPress

IdentifiersCVE-2026-8095CWE-73

CVE-2026-8095 is an authenticated arbitrary file deletion vulnerability in the Frontend File Manager Plugin for WordPress affecting versions up to and including 23.6. The flaw is in the wpfm_file_meta_update AJAX handler, where a case-sensitive bypass allows an attacker to submit the parameter WPFM_DIR_PATH in uppercase to evade an unset check intended for wpfm_dir_path. During update_post_meta(), sanitize_key() normalizes the attacker-controlled key to wpfm_dir_path, allowing the stored file path metadata to be overwritten with an arbitrary filesystem path. That path is later consumed by delete_file_locally(), which passes it directly to unlink() without validating that the target remains within an allowed directory. As a result, an authenticated attacker can cause deletion of arbitrary files on the server, including critical WordPress files such as wp-config.php.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows authenticated attackers with only Subscriber-level access to delete arbitrary files on the underlying server. Impact ranges from application disruption and denial of service to deletion of sensitive or security-critical files. If files such as wp-config.php are removed, the attacker may be able to force reinstallation or otherwise create conditions that can lead to full site takeover.

Mitigation

If you can’t patch tonight, do this now.

If an updated fixed release is not immediately available, restrict or disable access to the plugin's file-management functionality, especially for low-privileged roles such as Subscribers. Remove unnecessary Subscriber access, disable the vulnerable plugin if operationally feasible, and monitor for suspicious AJAX requests targeting wpfm_file_meta_update or unexpected deletion of WordPress files. Additional hardening should include filesystem permission controls to limit the web server's ability to delete sensitive files where possible.

Remediation

Patch, then assume compromise.

Update the Frontend File Manager Plugin for WordPress to a fixed version newer than 23.6 once an official patch is available. The vulnerable code path should be corrected so that parameter handling cannot be bypassed through case variation, stored file path metadata cannot be overwritten with attacker-controlled arbitrary paths, and deletion routines enforce strict directory containment and canonical path validation before invoking unlink(). Verify after patching that file deletion restrictions are correctly enforced.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cvefeed high severityNews

Jun 27, 2026

CVE-2026-8095 - Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion

An authenticated arbitrary file deletion vulnerability in the WordPress Frontend File Manager Plugin (<= 23.6) caused by a case-sensitive bypass in parameter sanitization, enabling Subscriber-level attackers to delete arbitrary files and potentially take over the site.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-8095

NVD

nvd.nist.gov/vuln/detail/CVE-2026-8095

MITRE CWE · CWE-73

cwe.mitre.org