FileBird – WordPress Media Library Folders & File Manager < 6.5.2 – Missing Authorization to Authenticated (Author+) Global Folders Tampering | CVE 2025-12900 | Plugin Vulnerabilities

Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.

Affects Plugins

Fixed in 6.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/59592b27-d431-499a-b3c3-3d43a5513c36

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

ac391a15-4f62-4fde-bd9e-131eba22d234

Timeline

Publicly Published

2025-12-15 (about 5 months ago)

Added

2025-12-15 (about 5 months ago)

Last Updated

2025-12-15 (about 5 months ago)

Other

Published

Title

Published

2024-04-25

Title

Sticky Anything <= 2.1.5 - Missing Authorization

Published

2023-12-27

Title

Doofinder for WooCommerce < 2.1.1 - Missing Authorization via multiple AJAX actions

Published

2024-02-23

Title

Addon Library <= 1.3.76 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

Published

2026-01-29

Title

OSM – OpenStreetMap < 6.1.13 - Missing Authorization

Published

2022-03-21

Title

Easy Social Icons < 3.2.1 - Unauthenticated Arbitrary Icon Deletion