What the vulnerability does
01Description
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.
Explanation of Vulnerability in Simple Terms
02Summary
FileBird versions up to 6.5.1 lack proper authorization checks on certain file operations. A logged-in user with low privileges can modify files or folders they should not have access to. The vulnerability requires WordPress authentication but no special user role. Update to a version newer than 6.5.1 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify or delete files and folders in the media library that belong to other users or are restricted.
Potential impact on your site
04Site Impact
Unauthorized users can alter media library structure and content, potentially corrupting site assets or exposing sensitive files.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with at least Subscriber or Contributor role.
Key dates
06Disclosure timeline
December 15, 2025
CVE published
April 8, 2026
Record updated