CVE-2026-12277
HIGHFrontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal
Title source: cnaExploitation Summary
EIP tracks 1 public exploit for CVE-2026-12277. PoCs published by moritakaaz.
AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-12277, an unauthenticated arbitrary file deletion vulnerability in the Frontend File Manager WordPress plugin (≤23.6). The exploit chains file upload, metadata manipulation, and file deletion to remove wp-config.php, enabling full site takeover via WordPress setup reinitialization.
Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.
Exploits (1)
This repository contains a functional exploit for CVE-2026-12277, an unauthenticated arbitrary file deletion vulnerability in the Frontend File Manager WordPress plugin (≤23.6). The exploit chains file upload, metadata manipulation, and file deletion to remove wp-config.php, enabling full site takeover via WordPress setup reinitialization.
References (1)
Scores
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H