CVE-2025-0935

MEDIUM

Media Library Folders <= 8.3.0 - Authenticated Plugin Settings Change via Missing Capability Check

Title source: llm

Description

The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.

References (5)

Core 5

Core References

Product

https://plugins.trac.wordpress.org/browser/media-library-plus/trunk/media-library-plus.php#L6296

Product

https://plugins.trac.wordpress.org/browser/media-library-plus/trunk/media-library-plus.php#L697

Product

https://plugins.trac.wordpress.org/browser/media-library-plus/trunk/media-library-plus.php#L7198

Patch

https://plugins.trac.wordpress.org/changeset/3234676/media-library-plus/trunk/media-library-plus.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6f810102-cf25-4898-a3a6-3cdc9a96aaea?source=cve

Scores

CVSS v3 4.3

EPSS 0.0031

EPSS Percentile 22.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (2)

maxfoundry/Media Library Folders < 8.3.0

maxfoundry/media_library_folders < 8.3.1

Published Feb 15, 2025

Tracked Since Feb 18, 2026