CVE-2025-11510 MEDIUM

CVE-2025-11510: FileBird <= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset

Vendor Ninjateam
Product FileBird – WordPress Media Library Folders & File Manager
Weakness CWE-285
Published October 18, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /filebird/v1/fb-wipe-clear-all-data function in all versions up to, and including, 6.4.9. This makes it possible for authenticated attackers, with author-level access and above, to reset all of the plugin's configuration data.

Explanation of Vulnerability in Simple Terms

02Summary

FileBird, a WordPress media library folder plugin, contains an improper access control vulnerability in versions up to 6.4.9. An authenticated user with low privileges can modify file or folder metadata they should not have access to. The vulnerability requires a valid WordPress account but no special interaction. Site administrators should update to a version newer than 6.4.9.

What an attacker can do

03Attacker Capabilities

Modify files or folders in the media library that belong to other users or are restricted.

Potential impact on your site

04Site Impact

Unauthorized changes to media library organization, metadata, or file access could disrupt content workflows or expose sensitive media.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low-level permissions (e.g., Contributor or Author).

Key dates

06Disclosure timeline

October 18, 2025 CVE published
April 8, 2026 Record updated