CVE-2025-14804: CWE-73 External Control of File Name or Path in Frontend File Manager Plugin
CVE-2025-14804 is a high-severity vulnerability in the Frontend File Manager WordPress plugin prior to version 23. 5. It allows any authenticated user, including low-privilege roles like subscribers, to delete arbitrary files on the server due to improper validation of a path parameter and file ownership. The vulnerability does not require user interaction and can be exploited remotely over the network. While it does not impact confidentiality or availability, it severely impacts integrity by enabling unauthorized file deletion. No known exploits are currently reported in the wild. European organizations using this plugin on WordPress sites are at risk, especially those with subscriber-level users. Mitigation requires immediate updating to version 23. 5 or later and restricting plugin access to trusted users only. Countries with high WordPress usage and significant e-commerce or media sectors, such as Germany, France, and the UK, are most likely affected.
AI Analysis
Technical Summary
CVE-2025-14804 is a vulnerability identified in the Frontend File Manager Plugin for WordPress versions before 23.5. The flaw arises from the plugin's failure to properly validate the 'path' parameter and verify file ownership before allowing file deletion operations. This weakness falls under CWE-73 (External Control of File Name or Path), where an attacker can manipulate file paths to affect files outside the intended directory scope. The vulnerability permits any authenticated user, including those with minimal privileges such as subscribers, to delete arbitrary files on the web server hosting the WordPress site. Exploitation requires no user interaction and can be performed remotely over the network. The CVSS v3.1 score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N) indicates that while confidentiality and availability are not impacted, integrity is severely compromised due to unauthorized file deletions. The scope is changed (S:C) because the vulnerability affects resources beyond the scope of the initially vulnerable component. No public exploits have been reported yet, but the ease of exploitation and low privilege requirement make it a significant threat. The vulnerability could lead to defacement, disruption of website functionality, or deletion of critical files, potentially causing operational issues or reputational damage.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the integrity of their web infrastructure, especially those relying on WordPress with the Frontend File Manager plugin installed. Unauthorized file deletion can disrupt business operations, cause data loss, and require costly recovery efforts. E-commerce platforms, media companies, and public sector websites are particularly vulnerable due to their reliance on WordPress and the presence of multiple user roles, including subscribers. The lack of impact on confidentiality reduces the risk of data breaches but does not diminish the threat to operational continuity. Additionally, the vulnerability could be leveraged as part of a broader attack chain, such as deleting security or backup files to facilitate further compromise. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability's characteristics suggest it could be weaponized quickly once publicized.
Mitigation Recommendations
1. Immediately update the Frontend File Manager plugin to version 23.5 or later, where the vulnerability is patched. 2. Restrict plugin access strictly to trusted users with elevated privileges; avoid granting subscriber-level users access to file management features. 3. Implement web application firewalls (WAF) with rules to detect and block suspicious file path manipulation attempts targeting the plugin endpoints. 4. Regularly audit user roles and permissions within WordPress to ensure minimal necessary privileges are assigned. 5. Monitor server logs for unusual file deletion activities or unauthorized access attempts related to the plugin. 6. Maintain regular backups of website files and databases to enable rapid recovery in case of file deletion or tampering. 7. Consider isolating file management functionality to separate environments or using alternative plugins with stronger security track records. 8. Educate site administrators about the risks of granting file management capabilities to low-privilege users.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
CVE-2025-14804: CWE-73 External Control of File Name or Path in Frontend File Manager Plugin
Description
CVE-2025-14804 is a high-severity vulnerability in the Frontend File Manager WordPress plugin prior to version 23. 5. It allows any authenticated user, including low-privilege roles like subscribers, to delete arbitrary files on the server due to improper validation of a path parameter and file ownership. The vulnerability does not require user interaction and can be exploited remotely over the network. While it does not impact confidentiality or availability, it severely impacts integrity by enabling unauthorized file deletion. No known exploits are currently reported in the wild. European organizations using this plugin on WordPress sites are at risk, especially those with subscriber-level users. Mitigation requires immediate updating to version 23. 5 or later and restricting plugin access to trusted users only. Countries with high WordPress usage and significant e-commerce or media sectors, such as Germany, France, and the UK, are most likely affected.
AI-Powered Analysis
Technical Analysis
CVE-2025-14804 is a vulnerability identified in the Frontend File Manager Plugin for WordPress versions before 23.5. The flaw arises from the plugin's failure to properly validate the 'path' parameter and verify file ownership before allowing file deletion operations. This weakness falls under CWE-73 (External Control of File Name or Path), where an attacker can manipulate file paths to affect files outside the intended directory scope. The vulnerability permits any authenticated user, including those with minimal privileges such as subscribers, to delete arbitrary files on the web server hosting the WordPress site. Exploitation requires no user interaction and can be performed remotely over the network. The CVSS v3.1 score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N) indicates that while confidentiality and availability are not impacted, integrity is severely compromised due to unauthorized file deletions. The scope is changed (S:C) because the vulnerability affects resources beyond the scope of the initially vulnerable component. No public exploits have been reported yet, but the ease of exploitation and low privilege requirement make it a significant threat. The vulnerability could lead to defacement, disruption of website functionality, or deletion of critical files, potentially causing operational issues or reputational damage.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the integrity of their web infrastructure, especially those relying on WordPress with the Frontend File Manager plugin installed. Unauthorized file deletion can disrupt business operations, cause data loss, and require costly recovery efforts. E-commerce platforms, media companies, and public sector websites are particularly vulnerable due to their reliance on WordPress and the presence of multiple user roles, including subscribers. The lack of impact on confidentiality reduces the risk of data breaches but does not diminish the threat to operational continuity. Additionally, the vulnerability could be leveraged as part of a broader attack chain, such as deleting security or backup files to facilitate further compromise. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability's characteristics suggest it could be weaponized quickly once publicized.
Mitigation Recommendations
1. Immediately update the Frontend File Manager plugin to version 23.5 or later, where the vulnerability is patched. 2. Restrict plugin access strictly to trusted users with elevated privileges; avoid granting subscriber-level users access to file management features. 3. Implement web application firewalls (WAF) with rules to detect and block suspicious file path manipulation attempts targeting the plugin endpoints. 4. Regularly audit user roles and permissions within WordPress to ensure minimal necessary privileges are assigned. 5. Monitor server logs for unusual file deletion activities or unauthorized access attempts related to the plugin. 6. Maintain regular backups of website files and databases to enable rapid recovery in case of file deletion or tampering. 7. Consider isolating file management functionality to separate environments or using alternative plugins with stronger security track records. 8. Educate site administrators about the risks of granting file management capabilities to low-privilege users.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2025-12-16T21:54:07.344Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 695dfb8aa55ed4ed9983420a
Added to database: 1/7/2026, 6:22:02 AM
Last enriched: 1/14/2026, 4:03:46 PM
Last updated: 2/7/2026, 5:27:37 AM
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.