{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T07:32:00.225","vulnerabilities":[{"cve":{"id":"CVE-2026-1280","sourceIdentifier":"security@wordfence.com","published":"2026-01-28T12:15:52.593","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only."},{"lang":"es","value":"El plugin Frontend File Manager para WordPress es vulnerable al uso compartido de archivos no autorizado debido a una comprobación de capacidad faltante en la acción AJAX 'wpfm_send_file_in_email' en todas las versiones hasta la 23.5, inclusive. Esto permite a atacantes no autenticados compartir archivos subidos arbitrarios por correo electrónico al proporcionar un ID de archivo. Dado que los ID de archivo son enteros secuenciales, los atacantes pueden enumerar todos los archivos subidos en el sitio y exfiltrar datos sensibles que estaban destinados a ser restringidos solo a los administradores."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve","source":"security@wordfence.com"}]}}]}