CVE-2026-1883 MEDIUM

CVE-2026-1883: Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion

Vendor Wickedplugins
Product Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types
Weakness CWE-639 · IDOR
Published March 15, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.

Explanation of Vulnerability in Simple Terms

02Summary

Wicked Folders allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter folder organization or post associations through the plugin's API or interface. The vulnerability affects versions up to 4.1.0. Update to a version newer than 4.1.0 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify folder structure or post metadata without proper authorization checks.

Potential impact on your site

04Site Impact

Unauthorized changes to post organization, folder structure, or custom post type associations.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (subscriber or contributor level).

Key dates

06Disclosure timeline

March 15, 2026 CVE published
April 8, 2026 Record updated