CVE-2021-4356— Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

CVSS 9.0 · Critical EPSS 0.74% · P73 Updated Apr 09, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2021-4356

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

Source: NVD (National Vulnerability Database)

Vulnerability Description

The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

授权机制缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress Plugin Frontend File Manager 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Frontend File Manager 存在安全漏洞，该漏洞源于 wpfm_file_meta_update AJAX 接口缺少身份验证保护、功能检查和清理。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
nmedia	Frontend File Manager Plugin	* ~ 18.3	-

II. Public POCs for CVE-2021-4356

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2021-4356

请登录查看更多情报信息。

Same Patch Batch · nmedia · 2023-06-07 · 8 CVEs total

CVE-2021-4368	9.9 CRITICAL	Frontend File Manager <= 18.2 - Authenticated Settings Change leading to Arbitrary File Up
CVE-2021-4365	7.2 HIGH	Frontend File Manager <= 18.2 - Unauthenticated Stored Cross-Site Scripting
CVE-2021-4350	7.2 HIGH	Frontend File Manager <= 18.2 - Unauthenticated HTML Injection leading to Spam Emails
CVE-2021-4359	6.5 MEDIUM	Frontend File Manager Plugin <= 18.2 - Unauthenticated Arbitrary Post Deletion
CVE-2021-4344	6.4 MEDIUM	Frontend File Manager <= 18.2 - Privilege Escalation
CVE-2021-4369	5.8 MEDIUM	Frontend File Manager <= 18.2 - Unauthenticated Content Injection
CVE-2021-4351	5.8 MEDIUM	Frontend File Manager <= 18.2 - Unauthenticated Post Meta Change

IV. Related Vulnerabilities

Same product: Frontend File Manager Plugin

Same vendor: nmedia

Same weakness: CWE-862

V. Comments for CVE-2021-4356

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2021-4356— Frontend File Manager <= 18.2 - Unauthenticated Arbitrary File Download

I. Basic Information for CVE-2021-4356

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2021-4356

III. Intelligence Information for CVE-2021-4356

Same Patch Batch · nmedia · 2023-06-07 · 8 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2021-4356

Leave a comment