CVE-2026-12277

HIGH

Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-12277. PoCs published by moritakaaz.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-12277, an unauthenticated arbitrary file deletion vulnerability in the Frontend File Manager WordPress plugin (≤23.6). The exploit chains file upload, metadata manipulation, and file deletion to remove wp-config.php, enabling full site takeover via WordPress setup reinitialization.

Description

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

Exploits (1)

github WORKING POC
by moritakaaz · pythonpoc
https://github.com/moritakaaz/CVE-2026-12277

This repository contains a functional exploit for CVE-2026-12277, an unauthenticated arbitrary file deletion vulnerability in the Frontend File Manager WordPress plugin (≤23.6). The exploit chains file upload, metadata manipulation, and file deletion to remove wp-config.php, enabling full site takeover via WordPress setup reinitialization.

Classification
Working Poc 98%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Frontend File Manager WordPress Plugin ≤23.6
No auth needed
Prerequisites: Guest upload mode enabled on target · Valid wp-config.php path (environment-specific) · Plugin installed and accessible via AJAX endpoints
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit exploit vdb-entry technical-description
https://wpscan.com/vulnerability/30f208f6-9d7b-4aaf-8689-496521d1a1dc/

Scores

CVSS v3 8.7
EPSS 0.0023
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

Status published
Products (1)
None/Frontend File Manager Plugin < 23.6
Published Jul 07, 2026
Tracked Since Jul 07, 2026