CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion

CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion - High - 2026-06-28

Business risk: A low-privilege WordPress user can delete wp-config.php or other server files and turn file deletion into site takeover.

Root cause: wpfm_dir_path sanitization is case-sensitive before sanitize_key normalizes uppercase input, and unlink runs without containment.

Affected versions

  • Vulnerable: Frontend File Manager Plugin / nmedia-user-file-uploader up to and including 23.6.
  • Fixed / safe target: Disable/remove the plugin until patched; owned forks must normalize keys, enforce nonce/capability checks, and contain delete paths.
  • CVSS: 8.1 (High)

Exact vulnerable code pattern

unset($_POST['wpfm_dir_path']);
foreach ($_POST as $key => $value) {
    update_post_meta($file_id, sanitize_key($key), sanitize_text_field($value));
}
unlink(get_post_meta($file_id, 'wpfm_dir_path', true));

Fixed / mitigated code pattern

check_ajax_referer('wpfm_file_meta_update');
if (!current_user_can('upload_files')) { wp_send_json_error('forbidden', 403); }
$blocked = array('wpfm_dir_path' => true);
foreach ($_POST as $key => $value) {
    $normalized = sanitize_key($key);
    if (isset($blocked[$normalized])) { continue; }
    update_post_meta($file_id, $normalized, sanitize_text_field($value));
}
$path = realpath(get_post_meta($file_id, 'wpfm_dir_path', true));
$root = realpath(WP_CONTENT_DIR . '/uploads');
if (!$path || strpos($path, $root . DIRECTORY_SEPARATOR) !== 0) { wp_die('invalid path', 400); }
unlink($path);

Step-by-step integration guide

  1. Identify WordPress sites with the plugin <=23.6.
  2. Disable/remove the plugin or deploy a vendor patch.
  3. Patch owned forks for nonce, capability, normalized-key blocking, and realpath containment.
  4. Search logs for WPFM_DIR_PATH requests.
  5. Restore deleted files and rotate secrets if wp-config.php was touched.

Alternative mitigations

  • WAF-block wpfm_file_meta_update from non-admins.
  • Deny PHP user deletion outside wp-content/uploads.
  • Temporarily disable subscriber access to plugin file actions.

Detection signature

rg -n "wpfm_file_meta_update|WPFM_DIR_PATH|wpfm_dir_path|delete_file_locally|nmedia-user-file-uploader" wp-content .

Copy-paste skill block

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

Remediate CVE-2026-8095: WordPress Frontend File Manager arbitrary file deletion.

Required output:
- A reviewer-ready PR with dependency/config/code changes, tests, and deployment notes; or
- TRIAGE.md if the affected runtime is outside this repository.

Steps:
1. Confirm exposure using the detection signature above.
2. Apply the fixed or mitigated pattern.
3. Add or run a regression test for the exploit shape.
4. Record commands, versions, and residual risk in the PR body.

Boundaries:
- Scope only CVE-2026-8095 and directly related hardening.
- Do not run destructive exploit payloads against production.
- Preserve existing behavior except for the vulnerable path.

Tags and revenue routing

  • Keywords: cve, wordpress, php, arbitrary-file-deletion, plugin, sellable_to_agencies, zero_day_gold, high
  • Affected tech stack: php/wordpress
  • Revenue tags: sellable_to_agencies, zero_day_gold

References