CVE-2026-122771
The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server (such as wp-config.php) when guest upload mode is enabled. Deleting wp-config.php forces the site into its setup routine, which can be leveraged toward a full site takeover.
- Public exploit or PoC is available
- CVSS base score ≥ 7.0
Exploitation evidence
1 of 7 sourcesExploitation momentum
2 days of EPSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:HPublic Exploits & PoCs
1ATT&CK techniques
1Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small N× marks a technique that N independent sources agree on.
▤ Build a SIEM detection for these techniques