Description
The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users.
Published: 2025-12-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of media folder organization data by authenticated users with Author-level access
Action: Apply Patch
AI Analysis

Impact

The MediaCommander plugin allows authenticated users who have Author privileges or higher to delete all media folder organization data via the import-csv REST API endpoint. This occurs because the endpoint performs the deletion with an upload_files capability check, which is insufficient for a destructive operation. As a result, an attacker can erase the folder structure set up by administrators and other users, causing loss of organization, potential disruption to media management, and administrative overhead.

Affected Systems

All installations of the MediaCommander – Bring Folders to Media, Posts, and Pages plugin built by yalogica, currently affected by versions through 2.3.1 inclusive. Any site running one of these versions is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity, while the EPSS score of < 1% suggests a very low exploitation probability in the general population. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the authenticated REST API endpoint import-csv; an attacker must first obtain Author or higher credentials to exploit the missing capability check. If successful, the attacker can delete all folder organization data, but cannot achieve further privilege escalation or code execution solely through this flaw.

Generated by OpenCVE AI on April 21, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MediaCommander plugin to version 2.3.2 or later, which implements proper capability checks for folder deletion operations.
  • If an upgrade is not immediately possible, restrict Authors from using the CSV import feature by adjusting role capabilities or disabling the endpoint through plugin settings or a custom snippet.
  • Monitor WordPress REST API logs for unusual folder deletion requests and verify that only authorized administrators perform such actions.

Generated by OpenCVE AI on April 21, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users.
Title MediaCommander – Bring Folders to Media, Posts, and Pages <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:51.974Z

Reserved: 2025-12-11T01:17:23.655Z

Link: CVE-2025-14508

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:17.634Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:50.953

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses