CVE-2026-8378
Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Rename
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products
Unknown · Frontend File Manager Pluginpublic PoCs found — 1
cve_referencewpscan.com/vulnerability/19f5dd94-b16c-4ad2-9586-d15ddecf9805/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →