漏洞概述 漏洞名称: Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download 描述: 该插件未正确执行文件下载处理程序中的nonce检查,允许未认证的攻击者通过迭代标识符下载任何用户上传的文件。 漏洞类型: IDOR (Insecure Direct Object Reference) 分类: OWASP Top 10: A5: Broken Access Control CWE: CWE-639 CVSS: 7.5 (high) CVE编号: CVE-2026-8379 影响范围 受影响的插件: nmedia-user-file-uploader 修复状态: 暂无已知修复方案 修复方案 目前暂无已知的修复方案。建议用户尽快更新插件至最新版本或联系插件开发者获取修复建议。 概念验证(POC)代码 时间线 公开发布日期: 2026-06-02 添加日期: 2026-06-02 最后更新日期: 2026-06-02 其他信息 原始研究员: Alexander Jurkschat 提交者: Alexander Jurkschat 验证状态: Yes WPVDB ID: 71619406-19bb-437f-9538-fdf73de98827 相关漏洞 WP Job Portal < 2.2.7 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion Profile Builder < 3.1.3 - Restricted Email Bypass FeedWordPress < 2024.0428 - Unauthenticated Draft Access Salon Booking System - Free Version < 10.30.25 - Unauthenticated Insecure Direct Object Reference WP Timelics - AI-powered Appointment Booking Calendar and Online Scheduling Plugin < 1.0.26 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover