CVE-2026-1280 is a vulnerability classified under CWE-862 (Missing Authorization) affecting all versions of the nmedia Frontend File Manager Plugin for WordPress up to and including version 23.5. The vulnerability stems from the absence of a capability check on the AJAX action 'wpfm_send_file_in_email', which is responsible for sending uploaded files via email. Because this action lacks authorization verification, unauthenticated attackers can invoke it by supplying a file ID parameter. File IDs are assigned as sequential integers, enabling attackers to enumerate all uploaded files on the WordPress site. This enumeration allows attackers to identify and exfiltrate sensitive files that should be restricted to administrators only. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity due to its network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can access and share sensitive files without authorization. There is no indication of known exploits in the wild or available patches at the time of publication. The vulnerability affects any WordPress site using the Frontend File Manager Plugin, which is commonly used to manage file uploads and sharing on websites. The lack of authorization checks represents a critical security oversight that can lead to data leakage and potential compliance violations.

For European organizations, the impact of CVE-2026-1280 is significant, particularly for those relying on WordPress sites with the nmedia Frontend File Manager Plugin installed. Unauthorized file sharing can lead to exposure of sensitive corporate data, intellectual property, or personal data protected under GDPR, resulting in legal and financial repercussions. Confidentiality breaches may also damage organizational reputation and customer trust. Since the vulnerability allows unauthenticated remote exploitation without user interaction, attackers can automate file enumeration and exfiltration at scale. This risk is heightened for sectors handling sensitive information such as finance, healthcare, legal, and government institutions. Additionally, organizations with public-facing WordPress sites are more exposed, as the attack vector is network-based and does not require authentication. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as exploit code could be developed rapidly given the straightforward nature of the vulnerability. Overall, the vulnerability poses a high risk to data confidentiality and compliance for European entities using the affected plugin.

1. Immediately disable or restrict access to the 'wpfm_send_file_in_email' AJAX action within the plugin or via WordPress hooks to prevent unauthenticated use. 2. Implement strict file access controls on the server side, ensuring that uploaded files are only accessible to authorized users and not exposed via predictable identifiers. 3. Monitor web server and WordPress logs for unusual AJAX requests targeting file IDs or mass enumeration patterns. 4. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious requests attempting to exploit this vulnerability. 5. Regularly audit installed WordPress plugins and remove or replace those that are unmaintained or have known security issues. 6. Stay updated with the plugin vendor’s announcements and apply official patches promptly once released. 7. Conduct internal security awareness to inform site administrators about the risks of unauthorized file sharing and encourage secure file management practices. 8. Consider implementing multi-factor authentication and least privilege principles for WordPress administrative accounts to reduce overall site risk. 9. If possible, obfuscate or randomize file identifiers to prevent easy enumeration. 10. Backup critical data regularly to enable recovery in case of data loss or compromise.