CVE-2026-1280: CWE-862 Missing Authorization in nmedia Frontend File Manager Plugin
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
AI Analysis
Technical Summary
CVE-2026-1280 is a missing authorization vulnerability (CWE-862) in the nmedia Frontend File Manager Plugin for WordPress. The plugin fails to perform a capability check on the AJAX action 'wpfm_send_file_in_email', enabling unauthenticated users to send arbitrary files by email using sequential file IDs. This allows attackers to enumerate and exfiltrate sensitive uploaded files without authentication. The vulnerability affects all versions up to 23.5. There is no vendor advisory or patch information available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to access and share arbitrary uploaded files via email, potentially exposing sensitive data restricted to administrators. The ability to enumerate file IDs increases the risk of mass data exfiltration. The vulnerability does not affect system integrity or availability but results in a confidentiality breach.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the plugin or disable the vulnerable AJAX action if possible. Monitor official nmedia or WordPress security channels for updates and apply patches promptly once released.
CVE-2026-1280: CWE-862 Missing Authorization in nmedia Frontend File Manager Plugin
Description
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1280 is a missing authorization vulnerability (CWE-862) in the nmedia Frontend File Manager Plugin for WordPress. The plugin fails to perform a capability check on the AJAX action 'wpfm_send_file_in_email', enabling unauthenticated users to send arbitrary files by email using sequential file IDs. This allows attackers to enumerate and exfiltrate sensitive uploaded files without authentication. The vulnerability affects all versions up to 23.5. There is no vendor advisory or patch information available at this time.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to access and share arbitrary uploaded files via email, potentially exposing sensitive data restricted to administrators. The ability to enumerate file IDs increases the risk of mass data exfiltration. The vulnerability does not affect system integrity or availability but results in a confidentiality breach.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict access to the plugin or disable the vulnerable AJAX action if possible. Monitor official nmedia or WordPress security channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-01-20T22:17:51.761Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6979f49d4623b1157cb3651a
Added to database: 1/28/2026, 11:35:57 AM
Last enriched: 4/9/2026, 11:16:03 AM
Last updated: 5/10/2026, 9:09:09 AM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.