Bug is one of six critical flaws impacting WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites. The bugs allow a range of attacks on websites, including deleting blog pages and remote code execution. Each of the flaws, publicly disclosed Monday, have available patches, with each having a patch in place. Each issue has an unauthenticated content injection bug, researchers from the Ninja Technologies Network said. The bug allows remote users to inject JavaScript code into vulnerable websites to create admin user accounts.
Source: https://threatpost.com/frontend-file-manager-wordpress-bugs/167687/