Folders < 3.1.6 – Incorrect Authorization to Authenticated (Contributor+) Folder Content Manipulation | CVE 2025-12971 | Plugin Vulnerabilities

Description

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders.

Affects Plugins

Fixed in 3.1.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f3845071-8419-4bb2-b22d-f9ae22fb7d6a

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

6cbf0243-af86-4746-9818-54c90ceef7b9

Timeline

Publicly Published

2025-11-26 (about 5 months ago)

Added

2025-11-27 (about 5 months ago)

Last Updated

2025-11-27 (about 5 months ago)

Other

Published

Title

Published

2026-01-05

Title

Timetics < 1.0.48 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation

Published

2025-02-11

Title

WP Booking Calendar < 10.10.1 - Unauthenticated Post-Confirmation Booking Manipulation

Published

2026-03-05

Title

Responsive Plus < 3.4.3 - Unauthenticated Arbitrary Shortcode Execution

Published

2022-03-10

Title

WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)

Published

2025-10-24

Title

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution < 4.8.5 - Incorrect Authorization to Authenticated (Editor+) License Status Update