← voltar
CVE-2025-14508

MediaCommander – Bring Folders to Media, Posts, and Pages <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion

CVSS 6.5 MEDIUMEPSS 0.2%CWE-862
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.5EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
13 dez 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N