CVE-2025-12900

MEDIUM

FileBird - WordPress Media Library Folders & File Manager <6.5.1 - ...

Title source: llm

Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/changeset/3411587

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/59592b27-d431-499a-b3c3-3d43a5513c36?source=cve

Scores

CVSS v3 4.3

EPSS 0.0022

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

ninjateam/FileBird – WordPress Media Library Folders & File Manager < 6.5.1

Published Dec 15, 2025

Tracked Since Feb 18, 2026