saas · MITRE
The Frontend File Manager Plugin for WordPress (versions up to 23.6) contains an authenticated arbitrary file deletion vulnerability. The flaw stems from a case-sensitive bypass in the wpfm_dir_path parameter sanitization within the wpfm_file_meta_update AJAX handler. An attacker supplying the parameter in uppercase (WPFM_DIR_PATH) can evade validation checks, allowing them to overwrite the stored file path with an arbitrary filesystem path. This path is then passed directly to the unlink() function without directory containment validation, enabling authenticated attackers with Subscriber-level access to delete arbitrary files on the server, including critical files such as wp-config.php.
For SaaS and hosted service providers running WordPress, this vulnerability directly impacts integrity and availability controls required under SOC2 Type II audits. Organizations must ensure WordPress plugin inventories are current and that file system access controls are properly scoped. Defense contractors and healthcare providers hosting WordPress applications should verify plugin versions and ensure change management procedures cover third-party plugin updates. An Omniware engagement can scope your WordPress deployment's plugin hygiene and filesystem controls in detail.
Source: MITRE National Vulnerability Database - https://nvd.nist.gov/vuln/detail/CVE-2026-8095
Source: MITRE
All briefings