Overview
CVE-2025-13382 describes an Insecure Direct Object Reference (IDOR) vulnerability found in the Frontend File Manager Plugin for WordPress. All versions up to and including 23.4 are affected. This flaw allows authenticated attackers, even those with Subscriber-level access, to rename files uploaded by other users. This is due to insufficient validation of file ownership during file rename requests processed by the /wpfm/v1/file-rename REST API endpoint.
Technical Details
The vulnerability stems from the Frontend File Manager plugin’s lack of proper authorization checks when handling file rename requests. The /wpfm/v1/file-rename REST API endpoint allows users to rename files using the fileid parameter, which specifies the ID of the file to be renamed.
Specifically, the plugin fails to verify if the user making the rename request is the owner of the file identified by the fileid. This allows an attacker with a valid, albeit low-privileged, WordPress account to manipulate the fileid parameter and rename files uploaded by other users, potentially leading to confusion, data disruption, or even more serious consequences depending on the nature of the renamed files.
The vulnerable code can be found in the class.rest.php file within the plugin. Refer to the references below for specific lines of code:
- Initial handling of the request: class.rest.php#L20
- File rename processing: class.rest.php#L52
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13382 is 4.3 (Medium).
The CVSS vector string is likely something similar to: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Attack Vector (AV:N): Network – The vulnerability is exploitable over the network.
- Attack Complexity (AC:L): Low – The attack is easily performed.
- Privileges Required (PR:L): Low – An attacker only needs low-level privileges (e.g., Subscriber) to exploit the vulnerability.
- User Interaction (UI:N): None – No user interaction is required.
- Scope (S:U): Unchanged – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality (C:N): None – There is no impact to confidentiality.
- Integrity (I:L): Low – There is a limited impact on data integrity.
- Availability (A:N): None – There is no impact to availability.
Possible Impact
Successful exploitation of this vulnerability allows authenticated attackers with Subscriber-level access to:
- Rename files uploaded by other users.
- Potentially disrupt workflows or cause confusion by renaming important files.
- In some cases, renamed files could lead to broken links or functionality within the WordPress site.
- Depending on the site’s configuration and the types of files being managed, this could escalate to more serious issues.
Mitigation or Patch Steps
The recommended mitigation is to update the Frontend File Manager plugin to the latest version as soon as it becomes available. The update will likely include a fix that implements proper file ownership validation before processing file rename requests.
In the meantime, consider the following workaround (if possible and depending on your comfort level with code modifications):
- Manually patch the plugin code by adding an ownership check within the
/wpfm/v1/file-renameREST API endpoint. Specifically, before renaming the file, verify that the current user’s ID matches the user ID associated with the uploaded file. This will require editing theclass.rest.phpfile. - Monitor the plugin’s activity for any suspicious file renaming actions.
Important: Always back up your website before making any code modifications.
