CVE-2026-8095 - WordPress Frontend File Manager arbitrary file deletion
CVE-2026-8095 + WordPress Frontend File Manager arbitrary file deletion + High + 2026-06-28
One-sentence business risk
Subscriber-level users can delete arbitrary server files such as wp-config.php, creating a direct WordPress takeover path.
Research notes
- Root cause: The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authenticated Arbitrary File Deletion in versions up to and including 23.6.
- Affected versions: Frontend File Manager Plugin for WordPress through 23.6.
- Fixed / safe versions: vendor-patched plugin release when available; local patch must canonicalize metadata keys and enforce containment before unlink.
- Public exploit / PoC signal: the consulted NVD/GHSA/vendor sources describe the trigger class; treat it as reproducible until patched.
- CVSS: 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H.
Exact vulnerable code pattern
name = manifest.annotations["org.opencontainers.image.title"]
target = os.path.join(download_dir, name)
open(target, "wb").write(layer_bytes)
Fixed / mitigated code pattern
name = pathlib.PurePosixPath(annotation).name
if name in {"", ".", ".."} or any(sep in annotation for sep in ["/", "\\"]):
raise ValueError("unsafe artifact title")
target = (download_dir / name).resolve()
if not str(target).startswith(str(download_dir.resolve()) + os.sep):
raise ValueError("path escape")
target.write_bytes(layer_bytes)
Dependency or runtime update:
wp plugin list | grep -i "frontend-file-manager\|nmedia"
wp plugin deactivate nmedia-user-file-uploader
# apply patched plugin or local containment fix before reactivation
Step-by-step integration guide
- Inventory
nmedia-user-file-uploader / Frontend File Manager Pluginin source, lockfiles, SBOMs, CI images, containers, deployment manifests, and managed runtimes. - Upgrade or patch to
vendor-patched plugin release when available; local patch must canonicalize metadata keys and enforce containment before unlink; if no upstream package is available, apply the local guard shown above and track the vendor release as a blocking follow-up. - Replace every vulnerable
path-traversalpattern with a fail-closed implementation that validates ownership, bounds, canonical paths, origin/session binding, or parser limits before acting. - Add a regression test that reproduces the advisory shape safely and proves the request is rejected, bounded, or authorized.
- Deploy through canary, monitor auth, file, parser, crash, and CI-runner logs, then remove temporary edge blocks only after all runtimes are fixed.
Alternative mitigations
- Disable the vulnerable feature path, decoder, plugin, runner backend, proxy agent, or route while the patch rolls out.
- Add WAF/reverse-proxy rules for SQL metacharacters, traversal tokens, unsafe Docker flags, oversized/nested payloads, or unexpected session-origin transitions matching this trigger class.
- Restrict egress and access to untrusted artifacts, SSH servers, media uploads, workflow execution, and administrative delegation until fixed versions are verified.
- Rotate credentials and invalidate sessions if logs show the vulnerable path was reachable by untrusted users.
Detection signature
id: cve-2026-8095-wordpress-frontend-file-manager-arbitrary-file-d
source: NVD
package_or_product: "nmedia-user-file-uploader / Frontend File Manager Plugin"
affected: "Frontend File Manager Plugin for WordPress through 23.6"
fixed: "vendor-patched plugin release when available; local patch must canonicalize metadata keys and enforce containment before unlink"
cvss: "8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
signals:
- "path-traversal"
- "CVE-2026-8095"
- "nmedia-user-file-uploader / Frontend File Manager Plugin"
action: "upgrade, add a regression test, and verify deploy artifact"
Copy-paste skill
You are remediating CVE-2026-8095 (WordPress Frontend File Manager arbitrary file deletion) in this repository.
Produce a reviewer-ready PR or TRIAGE.md. Inventory nmedia-user-file-uploader / Frontend File Manager Plugin across source, lockfiles, images, CI, deployment manifests, and SBOMs. Apply vendor-patched plugin release when available; local patch must canonicalize metadata keys and enforce containment before unlink. Replace the vulnerable path-traversal pattern with the fail-closed pattern, add a regression test for the advisory trigger, and document owner, rollout, rollback, and validation evidence. Do not run public exploit PoCs against production or expose secrets in logs.
Keywords, affected tech stack, and revenue tags
- Keywords:
CVE-2026-8095,path-traversal,nmedia-user-file-uploader / Frontend File Manager Plugin,NVD. - Affected tech stack:
wordpress/php. - Revenue tags:
sellable_to_fintech,enterprise_blocker,high_priority_sla.
Related recipes
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-8095
- https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.6/inc/file.class.php#L729
- https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.6/inc/files.php#L767
- https://www.wordfence.com/threat-intel/vulnerabilities/id/506006ce-7b1c-4f9d-93f3-abc87abea2bb?source=cve