The nmedia Frontend File Manager Plugin for WordPress contains a critical authorization bypass vulnerability identified as CVE-2026-1280. This vulnerability arises due to the absence of a capability check on the AJAX action 'wpfm_send_file_in_email', which is responsible for sending files via email. Since this action can be triggered without authentication, an attacker can supply a file ID parameter to send any uploaded file to an arbitrary email address. The plugin uses sequential integer file IDs, enabling attackers to enumerate all uploaded files systematically. This enumeration can lead to unauthorized disclosure of sensitive files that are supposed to be restricted to administrators. The vulnerability affects all versions up to and including 23.5. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low complexity, no privileges required, and no user interaction, resulting in high confidentiality impact but no integrity or availability impact. No patches were linked at the time of disclosure, and no active exploitation has been reported. This vulnerability represents a significant risk to confidentiality for WordPress sites using this plugin, especially those hosting sensitive or private files.

The primary impact of CVE-2026-1280 is unauthorized disclosure of sensitive files stored and managed via the Frontend File Manager Plugin. Attackers can exfiltrate confidential data such as internal documents, user information, or proprietary content by enumerating file IDs and sending files to external email addresses. This breach of confidentiality can lead to data leaks, regulatory non-compliance, reputational damage, and potential financial losses. Since the vulnerability does not affect integrity or availability, the threat is limited to data exposure. The ease of exploitation—no authentication or user interaction required—makes it highly accessible to remote attackers. Organizations relying on this plugin for file management on public-facing WordPress sites are at significant risk, particularly those in regulated industries or handling sensitive information. The lack of known exploits in the wild suggests this is a newly disclosed vulnerability, but the potential for rapid exploitation is high given the straightforward attack vector.

Immediate mitigation should focus on restricting access to the vulnerable AJAX action. Until an official patch is released, administrators can implement web application firewall (WAF) rules to block unauthenticated requests to 'wpfm_send_file_in_email'. Additionally, disabling or removing the Frontend File Manager Plugin if not essential can eliminate exposure. Site owners should audit uploaded files for sensitive content and consider encrypting or relocating critical files outside the plugin's management scope. Monitoring outgoing emails for suspicious activity related to file sharing is also recommended. Once a patch is available, prompt updating to the fixed plugin version is essential. Implementing strict file access controls and ensuring that all AJAX actions enforce proper capability checks can prevent similar vulnerabilities. Regular security assessments and plugin updates should be part of ongoing maintenance.