Description
Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird filebird allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filebird: from n/a through <= 6.4.2.1.
Published: 2025-02-25
Score: 3.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Filebird plugin users can exploit an Authorization Bypass Through User-Controlled Key flaw that permits unauthorized access to private files or configuration data. The vulnerability arises from incorrectly configured access control security levels, enabling attackers to target resources by manipulating request parameters or URLs. While the severity is moderate (CVSS 3.8), an attacker who succeeds could read or modify data they are not authorized to access, potentially compromising site integrity or exposing sensitive information.

Affected Systems

The issue affects the Ninja Team Filebird plugin for WordPress, specifically all releases up to and including version 6.4.2.1. Sites utilizing these versions of the plugin are vulnerable unless an upgrade has been applied.

Risk and Exploitability

The CVSS score of 3.8 indicates moderate risk, and the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, further indicating limited known exploitation. Attackers can trigger the IDOR by crafting URLs or request parameters that reference file identifiers, bypassing normal authorization checks. Because the flaw relies on misconfigured access controls, any site that has granted broader file access may be particularly susceptible.

Generated by OpenCVE AI on May 1, 2026 at 15:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Filebird to version 6.4.2.2 or later, removing the IDOR flaw.
  • Confirm that file access limits are enforced in WordPress settings and that only intended user roles can view or edit files.
  • Implement server‑side validation of file identifiers to ensure that each request is authenticated and authorized before serving the requested file.
  • If an upgrade is not immediately possible, restrict the file browsing endpoint to trusted user roles using a .htaccess rule or a role‑based access control plugin.

Generated by OpenCVE AI on May 1, 2026 at 15:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5415 Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1. Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird filebird allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filebird: from n/a through <= 6.4.2.1.
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 15 Apr 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ninjateam
Ninjateam filebird
CPEs cpe:2.3:a:ninjateam:filebird:*:*:*:*:*:wordpress:*:*
Vendors & Products Ninjateam
Ninjateam filebird

Tue, 25 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Filebird: from n/a through 6.4.2.1.
Title WordPress FileBird plugin <= 6.4.2.1 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ninjateam Filebird
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:45.660Z

Reserved: 2025-02-17T11:51:47.717Z

Link: CVE-2025-26977

cve-icon Vulnrichment

Updated: 2025-02-25T17:07:14.639Z

cve-icon NVD

Status : Modified

Published: 2025-02-25T15:15:30.443

Modified: 2026-04-23T15:26:10.447

Link: CVE-2025-26977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:15:20Z

Weaknesses