Critical Vulnerabilities Spotted In WordPress Plugin Frontend File Manager

Another WordPress plugin has received major security updates after being riddled with numerous flaws. This time, it is the WordPress Frontend File Manager plugin that was found to contain critical severity vulnerabilities.

Frontend File Manager Plugin Vulnerabilities

Researchers from NinTechNet discovered six critical security vulnerabilities in the Frontend File Manager plugin for WordPress. This plugin facilitates users in uploading files for the site admin.

Specifically, the vulnerabilities they discovered could lead to various consequences upon exploitation. Here’s a quick overview of the bugs.

• Privilege escalation: an adversary could exploit the plugin’s function to retrieve user ID by overriding the $current_user_id L318 to gain elevated privileges. All it required was to assign any user ID to the $_GET[‘file_owner’] variable.
• Stored XSS: the wpfm_edit_file_title_desc function of the plugin lacked security nonce to verify if the user is editing its own or others’ post, allowing an unauthenticated adversary to inject JavaScript code in any posts or page of the site.
• Arbitrary file upload: the wpfm_save_settings function for saving plugin settings lacked security nonce. Hence, an authenticated adversary could modify the settings to upload arbitrary files and gain remote code execution privileges.
• Arbitrary post deletion: due to the lack of security nonce in the wpfm_delete_file function, an unauthenticated adversary could delete posts of the site.
• Arbitrary file download: the wpfm_file_meta_update function responsible for modifying posts’ metadata lacked nonce and data sanitization. Hence, an adversary could change the metadata of any post and download the file.
• HTML injection: due to a lack of sanitization in the wpfm_send_file_in_email function responsible for sending emails in HTML format, an adversary could inject HTML codes to customize emails and exploit the blog as a spam relay.

More details about the vulnerabilities are available in the researchers’ post.

Patches Deployed

The researchers initially discovered the vulnerabilities in the plugin version 17.2, which they then reported to the developers on May 20, 2021. Consequently, the developers released a plugin update. However, it lacked fixes for all the bugs.

Thus, the bugs continued to affect plugin versions until 18.2. Eventually, the final release of the plugin version 18.3 addressed all the fixes.

The current version of the Frontend File Manager Plugin is 19.3, though, which addresses some more issues. So, all plugin users must ensure updating their sites with the latest version or any release later than 18.3.