Vulnerability Description
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to, and including, 18.2. This is due to lacking authentication protections and santisation all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Najeebmedia | Frontend File Manager Plugin | <= 18.2 |
Related Weaknesses (CWE)
References
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiplExploit
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9c82154-d390-44ba-a54Third Party Advisory
- https://blog.nintechnet.com/wordpress-frontend-file-manager-plugin-fixed-multiplExploit
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&oldPatch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9c82154-d390-44ba-a54Third Party Advisory
FAQ
What is CVE-2021-4365?
CVE-2021-4365 is a vulnerability with a CVSS score of 7.2 (HIGH). The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to, and including, 18.2. This is due to lacking authentication protections an...
How severe is CVE-2021-4365?
CVE-2021-4365 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-4365?
Check the references section above for vendor advisories and patch information. Affected products include: Najeebmedia Frontend File Manager Plugin.