CVE-2025-12900 MEDIUM

CVE-2025-12900: FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering

Vendor Ninjateam
Product FileBird – WordPress Media Library Folders & File Manager
Weakness CWE-862 · Missing authorization
Published December 15, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.

Explanation of Vulnerability in Simple Terms

02Summary

FileBird versions up to 6.5.1 lack proper authorization checks on certain file operations. A logged-in user with low privileges can modify files or folders they should not have access to. The vulnerability requires WordPress authentication but no special user role. Update to a version newer than 6.5.1 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify or delete files and folders in the media library that belong to other users or are restricted.

Potential impact on your site

04Site Impact

Unauthorized users can alter media library structure and content, potentially corrupting site assets or exposing sensitive files.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with at least Subscriber or Contributor role.

Key dates

06Disclosure timeline

December 15, 2025 CVE published
April 8, 2026 Record updated