Filebird < 6.4.6 – Authenticated (Author+) Insecure Direct Object Reference | CVE 2025-26977 | Plugin Vulnerabilities

Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.2.1 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to perform an unauthorized action

Affects Plugins

Fixed in 6.4.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b42178a9-2f73-48d2-a912-50efe0bec76e

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Revan Arifio

Verified

No

WPVDB ID

5fbe2b31-878f-43f4-b332-d82afe4eede1

Timeline

Publicly Published

2025-02-23 (about 1 year ago)

Added

2025-03-03 (about 1 year ago)

Last Updated

2025-03-03 (about 1 year ago)

Other

Published

Title

Published

2024-04-10

Title

GP Unique ID < 1.5.6 - Unauthenticated Form Submission Unique ID Modification

Published

2025-09-22

Title

Content Mask <= 1.8.5.3 - Authenticated (Author+) Insecure Direct Object Reference

Published

2024-06-21

Title

Bricks Builder < 1.9.9 - Insecure Direct Object Reference

Published

2020-12-28

Title

WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR

Published

2026-03-16

Title

Tutor LMS – eLearning and online course solution < 3.9.5 - Authenticated (Subscriber+) Insecure Direct Object Reference