Description
The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.
Published: 2025-02-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change via authentication bypass
Action: Patch
AI Analysis

Impact

The Media Library Folders plugin contains a missing capability check on several AJAX actions, which allows an authenticated user with Author level or higher to modify plugin settings, including IP‑blocking rules. By changing these settings, the attacker can alter how visitor requests are handled, potentially weakening site security or making the site more vulnerable to other attacks. The primary impact is configuration tampering, leading to degraded security controls and increased attack surface.

Affected Systems

This vulnerability affects the MaxFoundry Media Library Folders plugin for WordPress, specifically all releases up to and including version 8.3.0. Users running any of these versions are susceptible to the described authorization bypass.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity issue, and the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must be authenticated with at least Author privileges and must trigger the vulnerable AJAX actions; no additional privilege escalation is required. While the risk is moderate due to the low likelihood, the potential for configuration manipulation warrants timely remediation.

Generated by OpenCVE AI on April 22, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Media Library Folders plugin to version 8.3.1 or later, which includes proper capability checks on AJAX actions.
  • Restrict the ability to modify critical settings, such as IP‑blocking, to Administrators only by reviewing and updating the plugin’s role‑based access controls.
  • Enable monitoring for changes to plugin settings and review audit logs to detect any unauthorized modifications promptly.

Generated by OpenCVE AI on April 22, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1933 The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0004}

 epss

{'score': 0.00045}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00055}

 epss

{'score': 0.0004}

Mon, 24 Feb 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Maxfoundry
Maxfoundry media Library Folders
CPEs cpe:2.3:a:maxfoundry:media_library_folders:*:*:*:*:*:wordpress:*:*
Vendors & Products Maxfoundry
Maxfoundry media Library Folders

Tue, 18 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Feb 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.
Title Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Maxfoundry Media Library Folders
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:55.958Z

Reserved: 2025-01-31T15:53:56.541Z

Link: CVE-2025-0935

cve-icon Vulnrichment

Updated: 2025-02-18T21:12:29.988Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-15T09:15:10.583

Modified: 2025-02-24T12:23:14.103

Link: CVE-2025-0935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses