CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion
CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion - High - 2026-06-28
Business risk: A low-privilege WordPress user can delete wp-config.php or other server files and turn file deletion into site takeover.
Root cause: wpfm_dir_path sanitization is case-sensitive before sanitize_key normalizes uppercase input, and unlink runs without containment.
Affected versions
- Vulnerable: Frontend File Manager Plugin / nmedia-user-file-uploader up to and including 23.6.
- Fixed / safe target: Disable/remove the plugin until patched; owned forks must normalize keys, enforce nonce/capability checks, and contain delete paths.
- CVSS: 8.1 (High)
Exact vulnerable code pattern
unset($_POST['wpfm_dir_path']);
foreach ($_POST as $key => $value) {
update_post_meta($file_id, sanitize_key($key), sanitize_text_field($value));
}
unlink(get_post_meta($file_id, 'wpfm_dir_path', true));
Fixed / mitigated code pattern
check_ajax_referer('wpfm_file_meta_update');
if (!current_user_can('upload_files')) { wp_send_json_error('forbidden', 403); }
$blocked = array('wpfm_dir_path' => true);
foreach ($_POST as $key => $value) {
$normalized = sanitize_key($key);
if (isset($blocked[$normalized])) { continue; }
update_post_meta($file_id, $normalized, sanitize_text_field($value));
}
$path = realpath(get_post_meta($file_id, 'wpfm_dir_path', true));
$root = realpath(WP_CONTENT_DIR . '/uploads');
if (!$path || strpos($path, $root . DIRECTORY_SEPARATOR) !== 0) { wp_die('invalid path', 400); }
unlink($path);
Step-by-step integration guide
- Identify WordPress sites with the plugin <=23.6.
- Disable/remove the plugin or deploy a vendor patch.
- Patch owned forks for nonce, capability, normalized-key blocking, and realpath containment.
- Search logs for WPFM_DIR_PATH requests.
- Restore deleted files and rotate secrets if wp-config.php was touched.
Alternative mitigations
- WAF-block wpfm_file_meta_update from non-admins.
- Deny PHP user deletion outside wp-content/uploads.
- Temporarily disable subscriber access to plugin file actions.
Detection signature
rg -n "wpfm_file_meta_update|WPFM_DIR_PATH|wpfm_dir_path|delete_file_locally|nmedia-user-file-uploader" wp-content .
Copy-paste skill block
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
Remediate CVE-2026-8095: WordPress Frontend File Manager arbitrary file deletion.
Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.
Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.
Boundaries:
- Scope only CVE-2026-8095 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.
Tags and revenue routing
- Keywords: cve, wordpress, php, arbitrary-file-deletion, plugin, sellable_to_agencies, zero_day_gold, high
- Affected tech stack: php/wordpress
- Revenue tags: sellable_to_agencies, zero_day_gold