CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
What the vulnerability does
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'wcp_change_post_folder' function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to move arbitrary folder contents to arbitrary folders.
Explanation of Vulnerability in Simple Terms
The Folders plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify content they should not have access to. The vulnerability affects versions up to 3.1.5. An attacker with a basic user account can bypass permission checks to alter files or folder settings. Site administrators should update to a version newer than 3.1.5 to remediate this issue.
What an attacker can do
Modify files or folders that their user role should not permit them to change.
Potential impact on your site
Unauthorized users can alter media library organization, folder structure, or file metadata without proper permission checks.
Conditions required to exploit
Attacker must have a low-privilege WordPress user account (e.g., Contributor or Subscriber).
Key dates
External resources
Related vulnerabilities
