WP-Safety

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Security & Risk Analysis

wordpress.org/plugins/wicked-folders

Organize your pages, posts, and custom post types into folders. Upgrade to pro for media library folders, WooCommerce integration, and more.

20K active installs v4.1.1 PHP + WP 4.6+ Updated Mar 3, 2026
foldersmedia-library-categoriesmedia-library-foldersorganizationpage-folders
92
A · Safe
CVEs total22
Unpatched0
Last CVEMar 14, 2026
Plugin page Download
Safety Verdict

Is Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Safe to Use in 2026?

Generally Safe

Score 92/100

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types has a strong security track record. Known vulnerabilities have been patched promptly.

22 known CVEsLast CVE: Mar 14, 2026Updated 1mo ago
Risk Assessment

The wicked-folders plugin v4.1.1 exhibits a mixed security posture. On one hand, static code analysis reveals a strong adherence to modern security practices. The plugin demonstrates excellent control over its attack surface, with zero identified AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. Furthermore, the code signals indicate robust security measures, with a high percentage of SQL queries using prepared statements, a nearly perfect rate of output escaping, and a substantial number of capability checks. The absence of dangerous functions, file operations, and external HTTP requests is also a positive sign. Taint analysis also found no unsanitized paths, suggesting a low risk of direct code injection or path traversal vulnerabilities originating from the analyzed flows.

However, the plugin's vulnerability history presents a significant concern. A large number of past CVEs (22 total) have been identified, with a notable concentration of medium-severity vulnerabilities. The common vulnerability types, including Authorization Bypass, Cross-Site Request Forgery, Missing Authorization, and SQL Injection, are particularly worrying as they indicate recurring weaknesses in how user inputs and actions are handled. While there are currently no unpatched vulnerabilities, the sheer volume and recurring nature of past issues suggest a need for ongoing vigilance and thorough security auditing. The presence of bundled libraries like Select2 also introduces a potential risk if it's an outdated version, though this is not explicitly detailed in the provided data. The recent vulnerability in 2026 suggests a potential future risk or an error in the data provided.

In conclusion, while wicked-folders v4.1.1 demonstrates good internal coding practices and a limited attack surface from static analysis, its historical vulnerability profile is a substantial red flag. The plugin has a track record of security flaws that have previously been exploited. While the current version appears to have addressed past issues, the recurring types of vulnerabilities suggest potential underlying architectural weaknesses. Users should proceed with caution, ensuring the plugin is consistently updated and closely monitoring for any new security advisories, despite the positive static analysis results.

Key Concerns

  • Significant historical CVEs
  • Common vulnerability types observed
  • Bundled library (Select2)
Vulnerabilities
22

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
20 CVEs in 2023
2023
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
21

22 total CVEs

CVE-2026-1883medium · 4.3Authorization Bypass Through User-Controlled Key

Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion

Mar 14, 2026 Patched in 4.1.1 (1d)
CVE-2023-0724medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_add_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0712medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_move_object

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0722medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_save_state

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0713medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_add_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0718medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0717medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization via ajax_delete_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0716medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_edit_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0730medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_save_folder_order

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0728medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery on ajax_save_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0726medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_edit_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0727medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_delete_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0725medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_clone_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0720medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder_order

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0719medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_sort_order

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0729medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_save_sort_order

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0715medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_clone_folder

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0711medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization via ajax_save_state

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0723medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery on ajax_move_object

Feb 7, 2023 Patched in 2.18.17 (350d)
CVE-2023-0684medium · 5.4Missing Authorization

Wicked Folders <= 2.18.16 - Missing Authorization via ajax_unassign_folders

Feb 6, 2023 Patched in 2.18.17 (351d)
CVE-2023-0685medium · 5.4Cross-Site Request Forgery (CSRF)

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_unassign_folders

Feb 6, 2023 Patched in 2.18.17 (351d)
CVE-2021-24919high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Wicked Folders <= 2.18.9 - Subscriber+ SQL Injection

Dec 30, 2021 Patched in 2.18.10 (754d)
Code Analysis
Analyzed Mar 16, 2026

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
23 prepared
Unescaped Output
3
55 escaped
Nonce Checks
1
Capability Checks
15
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

79% prepared29 total queries

Output Escaping

95% escaped58 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
save_settings (classes\admin.php:614)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 37
actionadmin_enqueue_scriptsclasses\admin.php:17
actionadmin_enqueue_scriptsclasses\admin.php:18
actionadmin_menuclasses\admin.php:19
actionpre_get_postsclasses\admin.php:20
actionadmin_noticesclasses\admin.php:21
actionnetwork_admin_noticesclasses\admin.php:22
actionmanage_pages_custom_columnclasses\admin.php:23
actionmanage_posts_custom_columnclasses\admin.php:24
actionwp_enqueue_mediaclasses\admin.php:25
actionadmin_footerclasses\admin.php:26
filterwpseo_primary_term_taxonomiesclasses\admin.php:28
filterwp_terms_checklist_argsclasses\admin.php:29
filteradmin_body_classclasses\admin.php:30
filtermanage_posts_columnsclasses\admin.php:31
filtermanage_pages_columnsclasses\admin.php:32
filterpost_column_taxonomy_linksclasses\admin.php:33
filtermanage_edit-lesson_columnsclasses\admin.php:36
filtermanage_edit-pretty-link_columnsclasses\admin.php:37
filtermanage_edit-agc_course_columnsclasses\admin.php:40
filtermanage_edit-layout_block_columnsclasses\admin.php:41
filtermanage_edit-testimonial_columnsclasses\admin.php:44
filtermanage_edit-testimonial_rotator_columnsclasses\admin.php:45
filtermanage_edit-wbcr-snippets_columnsclasses\admin.php:48
filterplugin_action_links_wicked-folders/wicked-folders.phpclasses\admin.php:50
filterWicked_Folders\Folder_Collection\fetch_item_counts\count_queryclasses\integrations\wpml\integrator.php:13
filterWicked_Folders\Folder_Collection\fetch_item_counts\assigned_count_queryclasses\integrations\wpml\integrator.php:14
filterWicked_Folders\Folder_Collection\fetch_item_counts\total_count_queryclasses\integrations\wpml\integrator.php:15
filterwicked_folders_after_ajax_scriptsclasses\integrations\wpml\integrator.php:16
actioninitclasses\wicked-folders.php:33
actionrest_api_initclasses\wicked-folders.php:34
actiontto/update-orderclasses\wicked-folders.php:38
actionWicked_Folders\All_Folders_Collection\fetchclasses\wicked-folders.php:40
actionWicked_Folders\All_Folders_Collection\fetchclasses\wicked-folders.php:41
actionWicked_Folders\All_Folders_Collection\fetchclasses\wicked-folders.php:42
actionWicked_Folders\All_Folders_Collection\fetchclasses\wicked-folders.php:43
actionWicked_Folders\All_Folders_Collection\fetchclasses\wicked-folders.php:44
filteret_common_should_enqueue_reactclasses\wicked-folders.php:46
Maintenance & Trust

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version
Downloads681K

Community Trust

Rating98/100
Number of ratings54
Active installs20K
Alternatives

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Alternatives

Categorify – WordPress Media Library Category & File Manager

Categorify – WordPress Media Library Category & File Manager

categorify

C
59

Organize your WordPress media files in categories via drag and drop.

1K 1 unpatched
iFolders – Ultimate Folder Organizer for Media Library, Pages, Posts and Users

iFolders – Ultimate Folder Organizer for Media Library, Pages, Posts and Users

ifolders

A
100

Take control of your media library, posts, pages, and other content with our folder manager. Organize your WordPress data into specific categories.

300 1 CVE
MediaCommander – Bring Folders to Media, Posts, and Pages

MediaCommander – Bring Folders to Media, Posts, and Pages

mediacommander

A
99

Take control of your data with our folder manager - organize your WordPress media library, posts, and pages into specific categories with ease.

40 1 CVE
FileBird – WordPress Media Library Folders & File Manager

FileBird – WordPress Media Library Folders & File Manager

filebird

A
89

Organize thousands of WordPress media files in folders / categories with ease.

200K 10 CVEs
Real Media Library: Media Library Folder & File Manager

Real Media Library: Media Library Folder & File Manager

real-media-library-lite

A
97

Organize uploaded media in folders, collections and galleries: A file manager for WordPress. Media management made easy with Real Media Library! (Alte &hellip;

100K 4 CVEs
Developer Profile

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Developer Profile

wickedplugins

4 plugins · 21K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
353 days
View full developer profile
Detection Fingerprints

How We Detect Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wicked-folders/vendor/select2/js/select2.full.min.js/wp-content/plugins/wicked-folders/js/admin.js/wp-content/plugins/wicked-folders/vendor/select2/css/select2.min.css/wp-content/plugins/wicked-folders/css/admin.css/dist/folders.js/dist/folders.css
Script Paths
/wp-content/plugins/wicked-folders/vendor/select2/js/select2.full.min.js/wp-content/plugins/wicked-folders/js/admin.js/dist/folders.js
Version Parameters
wicked-folders/vendor/select2/js/select2.full.min.js?ver=wicked-folders/js/admin.js?ver=wicked-folders/vendor/select2/css/select2.min.css?ver=wicked-folders/css/admin.css?ver=/dist/folders.js?ver=/dist/folders.css?ver=

HTML / DOM Fingerprints

CSS Classes
wicked-folders-enabled
Data Attributes
data-wf-custom-field-iddata-wf-custom-field-name
JS Globals
wicked_folders_statewicked_folders_settings
REST Endpoints
/wp-json/wicked-folders/v1/folders
FAQ

Frequently Asked Questions about Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types