WP-Safety

FileBird – WordPress Media Library Folders & File Manager Security & Risk Analysis

wordpress.org/plugins/filebird

Organize thousands of WordPress media files in folders / categories with ease.

200K active installs v6.5.2 PHP + WP 3.0+ Updated Jan 12, 2026
file-managermediamedia-folderswordpress-media-library-folderswp-media-folders
89
A · Safe
CVEs total10
Unpatched0
Last CVEDec 15, 2025
Plugin page Download
Safety Verdict

Is FileBird – WordPress Media Library Folders & File Manager Safe to Use in 2026?

Generally Safe

Score 89/100

FileBird – WordPress Media Library Folders & File Manager has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Dec 15, 2025Updated 2mo ago
Risk Assessment

FileBird v6.5.2 presents a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL query preparation (81%) and output escaping (97%), significantly reducing the risk of common web vulnerabilities like SQL injection and XSS. The absence of bundled libraries and external HTTP requests also contributes to a more controlled environment. However, a notable concern is the presence of one unprotected AJAX handler, which represents a direct entry point without proper authentication checks, posing a potential risk for unauthorized actions.

The vulnerability history is a significant red flag. With 10 known CVEs, including one critical and nine medium severity issues, the plugin has a history of security weaknesses. While currently unpatched CVEs are zero, the recurring types of vulnerabilities (Missing/Improper Authorization, XSS, SQL Injection, Authorization Bypass) suggest persistent coding flaws or an inability to fully address certain security concerns. The taint analysis, though limited in scope, did identify one flow with an unsanitized path, which, if exploitable, could lead to security issues. The plugin's total attack surface is moderate, but the single unprotected entry point is a critical weakness.

Key Concerns

  • Unprotected AJAX handler
  • One flow with unsanitized path
  • 1 critical CVE in history
  • 9 medium CVEs in history
  • Recurring authorization issues
  • Recurring XSS issues
  • Recurring SQL Injection issues
Vulnerabilities
10

FileBird – WordPress Media Library Folders & File Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
4 CVEs in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
9

10 total CVEs

CVE-2025-12900medium · 4.3Missing Authorization

FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering

Dec 15, 2025 Patched in 6.5.2 (1d)
CVE-2025-11510medium · 4.3Improper Authorization

FileBird <= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset

Oct 17, 2025 Patched in 6.5.0 (1d)
CVE-2025-6986medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

FileBird – WordPress Media Library Folders & File Manager <= 6.4.8 - Authenticated (Author+) SQL Injection

Aug 5, 2025 Patched in 6.4.9 (1d)
CVE-2025-26977medium · 4.3Authorization Bypass Through User-Controlled Key

Filebird <= 6.4.2.1 - Authenticated (Author+) Insecure Direct Object Reference

Feb 23, 2025 Patched in 6.4.6 (9d)
CVE-2024-53825medium · 4.3Missing Authorization

Filebird <= 6.3.2 - Missing Authorization

Dec 2, 2024 Patched in 6.3.4 (10d)
CVE-2024-2345medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Stored Cross-Site Scripting

Apr 16, 2024 Patched in 5.6.4 (46d)
CVE-2024-2346medium · 5.4Authorization Bypass Through User-Controlled Key

FileBird – WordPress Media Library Folders & File Manager <= 5.6.3 - Authenticated (Author+) Insecure Direct Object Reference

Apr 16, 2024 Patched in 5.6.4 (30d)
CVE-2024-0691medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FileBird <= 5.6.0 - Authenticated(Administrator+) Stored Cross-Site Scripting via Folder Import

Jan 19, 2024 Patched in 5.6.1 (193d)
CVE-2023-25966medium · 5.4Missing Authorization

Filebird <= 5.1.4 - Missing Authorization via resAdminPermissionsCheck

Mar 27, 2023 Patched in 5.1.5 (302d)
CVE-2021-24385critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Filebird 4.7.3 - Unauthenticated SQL Injection

Jun 16, 2021 Patched in 4.7.4 (951d)
Code Analysis
Analyzed Mar 16, 2026

FileBird – WordPress Media Library Folders & File Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
21
91 prepared
Unescaped Output
3
99 escaped
Nonce Checks
3
Capability Checks
17
File Operations
4
External Requests
0
Bundled Libraries
0

SQL Query Safety

81% prepared112 total queries

Output Escaping

97% escaped102 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
restrictManagePosts (includes\Classes\Core.php:154)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

FileBird – WordPress Media Library Folders & File Manager Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 4

authwp_ajax_fbv_first_folder_noticeincludes\Classes\Core.php:43
authwp_ajax_fbv_save_reviewincludes\Classes\Review.php:8
authwp_ajax_tb_load_editorincludes\Support\PageBuilders.php:194
authwp_ajax_fbv_sync_wpmlincludes\Support\WPML.php:33
WordPress Hooks 90
actioninitblocks\filebird-gallery\init.php:53
actionrest_api_initblocks\filebird-gallery\init.php:54
actionadmin_initfilebird.php:21
actionplugins_loadedfilebird.php:122
filterplugin_row_metaincludes\Admin\Settings.php:20
actionadmin_menuincludes\Admin\Settings.php:21
actionin_admin_headerincludes\Admin\Settings.php:22
actionadmin_enqueue_scriptsincludes\Admin\Settings.php:23
actioninitincludes\Blocks\BlockController.php:10
filterfbv_dataincludes\Classes\ActivePro.php:14
filtermanage_media_columnsincludes\Classes\Attachment\AttachmentSize.php:15
actionmanage_media_custom_columnincludes\Classes\Attachment\AttachmentSize.php:16
filtermanage_upload_sortable_columnsincludes\Classes\Attachment\AttachmentSize.php:17
actionadded_post_metaincludes\Classes\Attachment\AttachmentSize.php:18
actionrest_api_initincludes\Classes\Convert.php:25
filtermedia_library_infinite_scrollingincludes\Classes\Core.php:32
filterajax_query_attachments_argsincludes\Classes\Core.php:33
filtermla_media_modal_query_final_termsincludes\Classes\Core.php:34
filterrestrict_manage_postsincludes\Classes\Core.php:35
filterposts_clausesincludes\Classes\Core.php:36
filterattachment_fields_to_saveincludes\Classes\Core.php:37
actionadmin_enqueue_scriptsincludes\Classes\Core.php:39
actionadd_attachmentincludes\Classes\Core.php:40
actiondelete_attachmentincludes\Classes\Core.php:41
actionpre-upload-uiincludes\Classes\Core.php:42
actionadmin_noticesincludes\Classes\Core.php:44
actionattachment_fields_to_editincludes\Classes\Core.php:45
filterwp_edited_image_metadataincludes\Classes\Core.php:46
filterusers_have_additional_contentincludes\Classes\Core.php:48
actiondeleted_userincludes\Classes\Core.php:49
filtercss_do_concatincludes\Classes\Core.php:51
filterfbv_update_database_noticeincludes\Classes\Core.php:60
actionadmin_enqueue_scriptsincludes\Classes\Feedback.php:8
actionadmin_footerincludes\Classes\Feedback.php:16
filtermailpoet_conflict_resolver_whitelist_scriptincludes\Classes\Modules\ModuleCompatibility.php:9
filtermailpoet_conflict_resolver_whitelist_styleincludes\Classes\Modules\ModuleCompatibility.php:10
filterfbv_get_count_where_queryincludes\Classes\Modules\ModuleExclude.php:6
filterupload_mimesincludes\Classes\Modules\ModuleSvg.php:11
filterwp_check_filetype_and_extincludes\Classes\Modules\ModuleSvg.php:12
filterwp_handle_upload_prefilterincludes\Classes\Modules\ModuleSvg.php:13
filterfbv_folder_created_byincludes\Classes\Modules\ModuleUser.php:15
actionadmin_noticesincludes\Classes\Review.php:12
actionfilebird_remove_zip_filesincludes\Classes\Schedule.php:9
actionfilebird_every_12_hours_jobsincludes\Classes\Schedule.php:10
actionrest_api_initincludes\Controller\Import\ImportController.php:13
actionadmin_noticesincludes\Fallback.php:4
actioninitincludes\I18n.php:10
filterfbv_dataincludes\Model\SettingModel.php:18
filterfbv_dataincludes\Model\UserSettingModel.php:31
actionrest_api_initincludes\Rest\RestApi.php:13
actionacf/include_field_typesincludes\Support\ACF.php:9
actionacf/register_fieldsincludes\Support\ACF.php:10
actioninitincludes\Support\DocumentGallery.php:11
actiondg_queryincludes\Support\DocumentGallery.php:18
actioninitincludes\Support\PageBuilders.php:13
actionwp_footerincludes\Support\PageBuilders.php:117
actionelementor/editor/before_enqueue_scriptsincludes\Support\PageBuilders.php:129
actionfl_before_sortable_enqueueincludes\Support\PageBuilders.php:133
actionbrizy_editor_enqueue_scriptsincludes\Support\PageBuilders.php:142
actioncornerstone_before_wp_editorincludes\Support\PageBuilders.php:146
actionet_fb_enqueue_assetsincludes\Support\PageBuilders.php:150
actiondivi_visual_builder_assets_before_enqueue_scriptsincludes\Support\PageBuilders.php:156
actiontcb_main_frame_enqueueincludes\Support\PageBuilders.php:165
actionfusion_builder_enqueue_live_scriptsincludes\Support\PageBuilders.php:169
actionoxygen_enqueue_ui_scriptsincludes\Support\PageBuilders.php:173
actiontatsu_builder_footerincludes\Support\PageBuilders.php:177
actiondokan_enqueue_scriptsincludes\Support\PageBuilders.php:181
actionbricks_after_footerincludes\Support\PageBuilders.php:206
actionfusion_enqueue_live_scriptsincludes\Support\PageBuilders.php:211
actionmfn_footer_enqueueincludes\Support\PageBuilders.php:216
actionlearnpress/addons/frontend_editor/enqueue_scriptsincludes\Support\PageBuilders.php:226
actionadmin_enqueue_scriptsincludes\Support\PageBuilders.php:231
actionadmin_print_footer_scripts-yootheme_customizerincludes\Support\PageBuilders.php:236
actionzionbuilder/editor/before_scriptsincludes\Support\PageBuilders.php:241
actionznpb_editor_after_load_scriptsincludes\Support\PageBuilders.php:245
filterfbv_speedup_get_count_queryincludes\Support\Polylang.php:24
filterfbv_ids_assigned_to_folderincludes\Support\Polylang.php:26
filterfbv_get_count_queryincludes\Support\Polylang.php:27
filterfbv_all_folders_and_countincludes\Support\Polylang.php:28
filterfbv_dataincludes\Support\Polylang.php:29
filterfbv_ids_assigned_to_folderincludes\Support\WPML.php:30
filterwpml_pre_parse_queryincludes\Support\WPML.php:31
filterwpml_post_parse_queryincludes\Support\WPML.php:32
filterfbv_dataincludes\Support\WPML.php:34
filterfbv_get_count_queryincludes\Support\WPML.php:37
filterfbv_speedup_get_count_queryincludes\Support\WPML.php:38
filterfbv_all_folders_and_countincludes\Support\WPML.php:39
filterscript_loader_tagincludes\Utils\Vite.php:24
filterscript_loader_srcincludes\Utils\Vite.php:38
actionadmin_headincludes\Utils\Vite.php:55

Scheduled Events 2

filebird_remove_zip_files
filebird_every_12_hours_jobs
Maintenance & Trust

FileBird – WordPress Media Library Folders & File Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 12, 2026
PHP min version
Downloads6.2M

Community Trust

Rating94/100
Number of ratings1,106
Active installs200K
Alternatives

FileBird – WordPress Media Library Folders & File Manager Alternatives

Real Media Library: Media Library Folder & File Manager

Real Media Library: Media Library Folder & File Manager

real-media-library-lite

A
97

Organize uploaded media in folders, collections and galleries: A file manager for WordPress. Media management made easy with Real Media Library! (Alte &hellip;

100K 4 CVEs
Folderly

Folderly

folderly

A
99

Organize your WordPress media library with folders. Drag & drop media files into folders, manage images, videos & documents efficiently.

40 1 CVE
Enhanced Media Library

Enhanced Media Library

enhanced-media-library

A
91

This plugin would be handy for those who need to manage a lot of media files.

70K 1 CVE
Document Library Lite

Document Library Lite

document-library-lite

A
96

Create a WordPress document library to manage, search and download files.

4K 3 CVEs
WP Media folders

WP Media folders

wp-media-folders

A
85

WP Media Folders is a media management plugin that: Implement a real folder and media URL structure & Allow WP Media Folder plugin data import

3K No CVEs
Developer Profile

FileBird – WordPress Media Library Folders & File Manager Developer Profile

Ninja Team

13 plugins · 496K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
93 days
View full developer profile
Detection Fingerprints

How We Detect FileBird – WordPress Media Library Folders & File Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/filebird/assets/css/photoswipe/photoswipe.css/wp-content/plugins/filebird/assets/css/photoswipe/default-skin.css/wp-content/plugins/filebird/assets/js/photoswipe/photoswipe.min.js/wp-content/plugins/filebird/assets/js/photoswipe/photoswipe-ui-default.min.js/wp-content/plugins/filebird/assets/js/photoswipe/fbv-photoswipe.min.js
Script Paths
/wp-content/plugins/filebird/blocks/filebird-gallery/init.php
Version Parameters
filebird/assets/css/photoswipe/photoswipe.css?ver=filebird/assets/css/photoswipe/default-skin.css?ver=filebird/assets/js/photoswipe/photoswipe.min.js?ver=filebird/assets/js/photoswipe/photoswipe-ui-default.min.js?ver=filebird/assets/js/photoswipe/fbv-photoswipe.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
fbv-media-folder-rootnjfb-modal-contentfbv-folder-itemfbv-sidebar
HTML Comments
FileBird galleryFileBird Media Library FolderFileBird LiteFileBird
Data Attributes
data-filebird-modaldata-njfb-modaldata-fbv-folder
JS Globals
njfb_plugin_urlnjfb_versionnjfb_rest_url
REST Endpoints
/wp-json/filebird/v1/wp-json/filebird/public/v1
FAQ

Frequently Asked Questions about FileBird – WordPress Media Library Folders & File Manager