CVE-2026-8378
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
The Frontend File Manager Plugin for WordPress through version 23.6 does not sanitize or escape a filename submitted to the frontend file-rename endpoint, leading to a Stored Cross-Site Scripting vulnerability.
Risk Assessment
Users with Subscriber-level access and above can exploit this vulnerability, posing a risk to administrators viewing the file management interface.
Recommendation
It is recommended to update the plugin to the latest version and implement additional security measures to restrict access to the file renaming functionality.
Original NVD description (English source)
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.

