CVE-2021-4359: 
WordPress vulnerability analysis and mitigation

The Frontend File Manager plugin for WordPress (versions up to and including 18.2) contains a vulnerability identified as CVE-2021-4359. This security flaw is characterized as an Unauthenticated Arbitrary Post Deletion vulnerability, which stems from missing authentication protections and the absence of a security nonce on the wpfm_delete_file AJAX action (NVD, NinTechNet Blog).

The vulnerability exists due to the plugin's wpfm_delete_file function lacking proper authentication checks and security nonces. The function takes an ID from $_REQUEST['file_id'] and proceeds to delete the corresponding post without verifying user permissions. The CVSS v3.1 base score is 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L according to Wordfence, while NVD assigns a score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to delete any posts and pages on the affected WordPress site. This can lead to significant content loss and potential disruption of website operations (NinTechNet Blog).

Users are strongly advised to update their Frontend File Manager plugin immediately if running version 18.2 or below. The vulnerability has been patched in version 18.3, released on June 26, 2021. Users of NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium) are protected against this vulnerability (NinTechNet Blog).