CVE-2026-8379
HIGHFrontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download
Title source: cnaDescription
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating identifiers.
References (1)
Core 1
Core References
Exploit exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/71619406-19bb-437f-9538-fdf73de98827/
Scores
CVSS v3
7.5
EPSS
0.0024
EPSS Percentile
15.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (1)
None/Frontend File Manager Plugin
< 23.6
Published
Jun 23, 2026
Tracked Since
Jun 23, 2026