Frontend File Manager Plugin - Authentication Bypass (CVE-2022-3124)

CVE-2022-3124 is a vulnerability in the Frontend File Manager Plugin for WordPress that allows unauthenticated users to rename uploaded files and potentially modify the content of arbitrary files on the web server. This flaw could be exploited by attackers to tamper with website files, leading to possible defacement or further compromise of the site’s integrity.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

CrowdSec network observations suggest that most exploitation of CVE-2022-3124 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec network telemetry also shows that exploitation of CVE-2022-3124 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit the /wp-json/wpfm/v1/file-rename endpoint to rename files by supplying crafted filename parameters, often using directory traversal sequences to target arbitrary files on WordPress installations.