CVE-2026-8378
MEDIUM 5.4 PoC AVAILABLEThe Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability exploitable by users with Subscriber-level access and above against an administrator viewing the file management interface.
Public exploit or PoC code exists. Modeled probability is still low, but the barrier to attack is reduced — watch closely.
Exploitation likelihood
0.1%chance of exploitation in 30 days · 3rd percentile
Impact if exploited
5.4CVSS 3.1 · MEDIUM
- ConfidentialityLow
- IntegrityLow
- AvailabilityNone
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ⚠User interaction: A user must take an action (click / open a file)
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Proof of concept & exploit code
Listed for defensive triage and patch prioritization.
Weakness (CWE)
Not classified.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N