CVE-2026-12277
Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal
CVSS Score
8.7
EPSS Score
0.1%
EPSS Percentile
4th
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.
| Vendor | unknown |
| Product | frontend file manager plugin |
| Published | Jul 7, 2026 |
| Last Updated | Jul 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown frontend file manager plugin
Be the first to know when new high vulnerabilities affecting unknown frontend file manager plugin are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Frontend File Manager Plugin
0 โค 23.6
References
Credits
Chamseddine Bouzaiene WPScan