hypeorhack
← back

CVE-2026-5337

hype MOSTLY HYPE · 22 hack

Recycled NVD feed posts; no PoC, no KEV, no urgent patching signal yet.

What: Insecure Direct Object Reference (IDOR) in Frontend File Manager Plugin WordPress through v23.6 allows authenticated Subscriber-level users to access files belonging to other users by tampering with the file_id parameter.

Why it matters: WordPress plugin affecting file access control; affects authenticated users with low privileges escalating to read admin/sensitive files. No KEV listing, no CVSS/EPSS scores, and no public PoC or in-the-wild reports evident in chatter.

Where it's seen: Feed aggregators (CVE trackers, Vulmon) republishing NVD description same-day; no vendor advisory, researcher PoC, or defender triage signals detected.

RISK: MODERATE — Affects WordPress sites; requires authentication; file disclosure only, not RCE.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/3/2026, 8:45:46 AM

Public PoCs on GitHub 6 repos

Page 1 of 2

Articles & coverage 14 articles

  • CVE-2006-5337 - NONE Vulnerability - AnonHaven

    Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5, 9.2.0.8, 10.1.0.5, and 10.2.0.2 has unknown impact and

  • Heap-based buffer overflow in Windows Routing and Remote...

    Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a

  • CISA orders feds to patch Windows flaw exploited as zero-day

    * CISA orders feds to patch Windows flaw exploited as zero-day. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks. Tracked as CVE-2026-32202, this security flaw was reported by cybersecurity firm Akamai, which described it as a zero-click vulnerability left behind after

  • NVD - CVE-2026-35337

    Change History 4 change records found show changes **Initial Analysis by NIST 4/15/2026 11:54:21 AM** | Action | Type | Old Value | New Value | | --- | --- | --- | --- | | Added | CPE Configuration | | ``` OR *cpe:2.3:a:apache:storm:*:*:*:*:*:*:*:* versions from (including) 2.0.0 up to (excluding) 2.8.6 ``` | | Added | Reference Type | | ``` Apache Software Foundation: https://storm.

  • CVE 2026 — The Vulnerabilities That Matter Most Right Now

    # CVE 2026 — The Vulnerabilities That Matter Most Right Now. The search for “CVE 2026” looks broad on the surface, but the people typing it into Google are usually not looking for an encyclopedia of numbers. They lose because they treated every CVE as equal, patched by score instead of exploit reality, and discovered too late that the issues that changed their week were not generic application bug

Page 1 of 3
NVD details 0 vendors · 1 ref expand

Description

During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored within the application.

References

Other · 1

Top posts driving the trend