CVE-2026-0829 (GCVE-0-2026-0829)

Vulnerability from cvelistv5 – Published: 2026-02-17 06:00 – Updated: 2026-02-17 06:00
VLAI?
Title
Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending
Summary
The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information.
Severity ?
No CVSS data available.
CWE
Assigner
References
https://wpscan.com/vulnerability/57d62cea-cfb8-44… exploitvdb-entrytechnical-description
Impacted products
Vendor Product Version
Unknown Frontend File Manager Plugin Affected: 0 , ≤ 23.5 (semver)
Create a notification for this product.
Credits
yiğit ibrahim sağlam WPScan
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Frontend File Manager Plugin",
          "vendor": "Unknown",
          "versions": [
            {
              "lessThanOrEqual": "23.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "yi\u011fit ibrahim sa\u011flam"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "WPScan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-17T06:00:06.506Z",
        "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "shortName": "WPScan"
      },
      "references": [
        {
          "tags": [
            "exploit",
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://wpscan.com/vulnerability/57d62cea-cfb8-4421-a209-e64a015ad225/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Frontend File Manager Plugin \u003c= 23.5 - Unauthenticated Arbitrary Email Sending",
      "x_generator": {
        "engine": "WPScan CVE Generator"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
    "assignerShortName": "WPScan",
    "cveId": "CVE-2026-0829",
    "datePublished": "2026-02-17T06:00:06.506Z",
    "dateReserved": "2026-01-09T20:13:31.418Z",
    "dateUpdated": "2026-02-17T06:00:06.506Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-0829\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2026-02-17T07:16:31.883\",\"lastModified\":\"2026-02-17T07:16:31.883\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://wpscan.com/vulnerability/57d62cea-cfb8-4421-a209-e64a015ad225/\",\"source\":\"contact@wpscan.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.