📄 Description (English)
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
🤖 AI Executive Summary
The Frontend File Manager Plugin for WordPress contains a critical authorization bypass vulnerability (CVE-2026-1280) allowing unauthenticated attackers to enumerate and exfiltrate arbitrary uploaded files via email. With a CVSS score of 7.5 and no authentication required, this vulnerability poses significant risk to Saudi organizations using WordPress for document management and file sharing. Immediate patching to version 23.6 or later is essential to prevent unauthorized data disclosure.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 3, 2026 10:17
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi organizations across multiple sectors: Government agencies and ministries using WordPress for document management face exposure of classified or sensitive administrative files; Banking and financial institutions risk disclosure of customer data and financial documents; Healthcare providers could expose patient records and medical files; Educational institutions may lose access control over student and research data; Telecommunications companies using WordPress portals risk customer information exposure. The sequential file ID enumeration technique makes this particularly dangerous as attackers can systematically extract all uploaded files without detection.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Institutions
Energy and Utilities
Telecommunications
Education
Insurance
Real Estate and Construction
Retail and E-commerce
Legal Services
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1589 - Gather Victim Identity Information
T1590 - Gather Victim Network Information
T1592 - Gather Victim Host Information
T1526 - Enumerate External Targets
T1087 - Account Discovery
T1526 - Enumerate External Targets
T1040 - Network Sniffing
T1557 - Adversary-in-the-Middle
T1041 - Exfiltration Over C2 Channel
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Update Frontend File Manager Plugin to version 23.6 or later immediately
2. If immediate patching is not possible, disable the plugin until patching can be completed
3. Review server logs for suspicious AJAX requests to 'wpfm_send_file_in_email' action from the past 30 days
4. Audit all uploaded files for unauthorized access or exfiltration attempts
PATCHING GUIDANCE:
1. Backup WordPress database and files before updating
2. Test the update in a staging environment first
3. Apply the patch during maintenance windows to minimize disruption
4. Verify plugin functionality post-update
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules to block AJAX requests to 'wpfm_send_file_in_email' from unauthenticated users
2. Restrict file upload directory access via .htaccess or nginx configuration
3. Implement rate limiting on AJAX endpoints
4. Move sensitive files outside web root
5. Implement file access logging and monitoring
DETECTION RULES:
1. Monitor for POST requests to /wp-admin/admin-ajax.php with action=wpfm_send_file_in_email from non-authenticated sessions
2. Alert on sequential file ID requests (e.g., file_id=1, file_id=2, file_id=3)
3. Monitor email logs for unexpected file sharing notifications
4. Track failed authentication attempts followed by AJAX exploitation attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديث مكون Frontend File Manager إلى الإصدار 23.6 أو أحدث فوراً
2. إذا لم يكن التحديث الفوري ممكناً، قم بتعطيل المكون حتى يتم التحديث
3. مراجعة سجلات الخادم للطلبات المريبة إلى إجراء 'wpfm_send_file_in_email' من آخر 30 يوماً
4. تدقيق جميع الملفات المرفوعة للتحقق من محاولات الوصول غير المصرح به
إرشادات التصحيح:
1. عمل نسخة احتياطية من قاعدة بيانات WordPress والملفات قبل التحديث
2. اختبار التحديث في بيئة اختبار أولاً
3. تطبيق التصحيح خلال نوافذ الصيانة لتقليل التأثير
4. التحقق من وظائف المكون بعد التحديث
الضوابط البديلة (إذا تأخر التصحيح):
1. تطبيق قواعد جدار حماية تطبيقات الويب لحجب طلبات AJAX إلى 'wpfm_send_file_in_email' من المستخدمين غير المصرح لهم
2. تقييد الوصول إلى دليل الملفات المرفوعة عبر .htaccess أو إعدادات nginx
3. تطبيق تحديد معدل على نقاط نهاية AJAX
4. نقل الملفات الحساسة خارج جذر الويب
5. تطبيق تسجيل ومراقبة الوصول إلى الملفات
قواعد الكشف:
1. مراقبة طلبات POST إلى /wp-admin/admin-ajax.php مع action=wpfm_send_file_in_email من جلسات غير مصرح لها
2. تنبيه على طلبات معرف الملف المتسلسلة (مثل file_id=1, file_id=2, file_id=3)
3. مراقبة سجلات البريد الإلكتروني لإشعارات مشاركة الملفات غير المتوقعة
4. تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات استغلال AJAX
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Rights
A.7.1.1 - Information Security Event Logging
A.8.2.1 - Classification of Information
A.8.2.3 - Handling of Assets
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
🔵 SAMA CSF
ID.AC-1 - Access Control Policy and Procedures
ID.AC-2 - Physical and Logical Access Controls
PR.AC-1 - Identities and Credentials Management
PR.AC-3 - Access Enforcement
DE.AE-1 - Audit and Accountability
DE.CM-1 - System Monitoring
RS.AN-1 - Characterization of Incident
🟡 ISO 27001:2022
5.3 - Segregation of Duties
6.2 - Access to Information and Other Associated Assets
8.1 - User Endpoint Devices
8.2 - Privileged Access Rights
8.3 - Information Access Restriction
8.4 - Access to Source Code
8.5 - Authentication
8.6 - Capacity Management
8.7 - Protection Against Malware
8.32 - Change of Information Ownership or Classification
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall Configuration Standards
Requirement 2.1 - Default Passwords
Requirement 6.2 - Security Patches
Requirement 6.5.1 - Injection Flaws
Requirement 7.1 - Access Control
Requirement 8.1 - User Identification
Requirement 8.2 - Authentication
Requirement 10.1 - Audit Trails
🔗 References & Sources 3
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/call...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f...
security@wordfence.com