CVE-2026-8378 | The Frontend File Manager Plugin WordPress plugin through 23…

Description

The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.

Metadata

CVE ID: CVE-2026-8378
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-12 08:47 UTC
Published: 2026-06-23 06:00 UTC
Last updated: 2026-06-23 06:00 UTC
Vendor / Product: Unknown / Frontend File Manager Plugin
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Frontend File Manager Plugin	—	0 ≤ 23.6

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-79 Cross-Site Scripting (XSS)

References (1)

https://wpscan.com/vulnerability/19f5dd94-b16c-4ad2-9586-d15ddecf9805/