๐Ÿ” CVE Alert

CVE-2026-12277

HIGH 8.7

Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal

CVSS Score
8.7
EPSS Score
0.1%
EPSS Percentile
4th

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

Vendor unknown
Product frontend file manager plugin
Published Jul 7, 2026
Last Updated Jul 7, 2026
Stay Ahead of the Next One

Get instant alerts for unknown frontend file manager plugin

Be the first to know when new high vulnerabilities affecting unknown frontend file manager plugin are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Frontend File Manager Plugin
0 โ‰ค 23.6

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/30f208f6-9d7b-4aaf-8689-496521d1a1dc/

Credits

Chamseddine Bouzaiene WPScan