Description
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.
Published: 2026-03-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Deletion of User-Generated Folders
Action: Patch Now
AI Analysis

Impact

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress suffers from an Insecure Direct Object Reference in the delete_folders() function due to missing validation on a user-controlled parameter. This flaw allows an authenticated user with Contributor-level access or higher to delete any folder created by another user, effectively erasing user content and harming data integrity and availability. The flaw is classified as CWE‑639 (Indirect Control Flow Transfer).

Affected Systems

This vulnerability affects all installations of the Wicked Folders plugin for WordPress with version 4.1.0 or earlier. The affected vendor is wickedplugins, which distributes the organized page, post, and custom post type folders within WordPress sites.

Risk and Exploitability

The CVSS v3.1 score of 4.3 indicates moderate risk, and the EPSS score of less than 1 % suggests that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Attackers must authenticate to the site and possess a Wordpress role equal to or higher than Contributor to exploit the flaw, making it an authenticated, privilege‑escalated vulnerability rather than a remote code execution. Given the limited exploitation probability, but potential for data loss, administrators should consider this a risk requiring timely patching.

Generated by OpenCVE AI on March 16, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wicked Folders plugin to the latest available version (any release newer than 4.1.0).
  • If an update cannot be performed immediately, remove the folder deletion capability from Contributor or higher roles by adjusting the plugin’s permission settings in WordPress.

Generated by OpenCVE AI on March 16, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wickedplugins
Wickedplugins wicked Folders – Folder Organizer For Pages, Posts, And Custom Post Types
Wordpress
Wordpress wordpress
Vendors & Products Wickedplugins
Wickedplugins wicked Folders – Folder Organizer For Pages, Posts, And Custom Post Types
Wordpress
Wordpress wordpress

Sun, 15 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.
Title Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wickedplugins Wicked Folders – Folder Organizer For Pages, Posts, And Custom Post Types
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-16T19:15:04.692Z

Reserved: 2026-02-04T13:48:43.162Z

Link: CVE-2026-1883

cve-icon Vulnrichment

Updated: 2026-03-16T19:14:36.354Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:18:08.200

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-1883

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:02Z

Weaknesses