Back to overview

CVE-2026-12277

Description
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.

Metadata

CVE ID
CVE-2026-12277
State
PUBLISHED
Assigner
WPScan
Reserved
2026-06-15 11:46 UTC
Published
2026-07-07 06:00 UTC
Last updated
2026-07-07 06:00 UTC
Vendor / Product
Unknown / Frontend File Manager Plugin
Sources
cve.org  ·  NVD

Severity & Metrics

No CVSS data available.

Affected products (1)
VendorProductPlatformVersions
Unknown Frontend File Manager Plugin 0 ≤ 23.6
Weakness (CWE)
CWESourceDescription
cna CWE-73 External Control of File Name or Path
Back to overview