CVE-2025-12900

FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
6.5.2
Patched in
1d
Time to patch

Description

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.5.1
PublishedDecember 15, 2025
Last updatedDecember 15, 2025
Affected pluginfilebird

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-12900 (FileBird Global Folder Tampering) ## 1. Vulnerability Summary The **FileBird – WordPress Media Library Folders & File Manager** plugin (up to version 6.5.1) is vulnerable to **Missing Authorization**. The vulnerability exists in the `ConvertController::…

Show full research plan

Exploitation Research Plan: CVE-2025-12900 (FileBird Global Folder Tampering)

1. Vulnerability Summary

The FileBird – WordPress Media Library Folders & File Manager plugin (up to version 6.5.1) is vulnerable to Missing Authorization. The vulnerability exists in the ConvertController::insertToNewTable function, which fails to properly validate a user-controlled key and lacks sufficient capability checks. This allows authenticated users with Author level access or higher to inject global folders and reassign arbitrary media attachments to these folders, bypassing intended access controls.

2. Attack Vector Analysis

  • Endpoint: admin-ajax.php (AJAX action handler).
  • Vulnerable Action: fbv_insert_to_new_table (inferred from function name insertToNewTable).
  • HTTP Parameter: Likely key or plugin (used to specify the source of data for conversion) and folders/attachments data.
  • Authentication: Author+ level required (PR:L).
  • Precondition: The site must have the FileBird plugin active. The exploit targets the logic intended for migrating data from other folder plugins into FileBird's structure.

3. Code Flow (Inferred)

  1. Entry Point: The plugin registers an AJAX action, likely via add_action('wp_ajax_fbv_insert_to_new_table', ...).
  2. Controller: The action maps to FileBird\Controller\ConvertController::insertToNewTable.
  3. Missing Check: Inside insertToNewTable, the code likely checks for a valid nonce but fails to verify if the user has the manage_options capability (required for global settings/folders).
  4. Processing: The function uses a user-provided key (referencing a source plugin like 'enhanced-media-library') to fetch data and insert it into FileBird's own database tables (fbv and fbv_attachment_folder).
  5. Sink: The code performs SQL INSERT operations or uses $wpdb to create new folder entries marked as global (usually created_by = 0 or a specific flag) and links existing attachment_ids to these new folder IDs.

4. Nonce Acquisition Strategy

FileBird typically exposes its AJAX nonce in the WordPress admin dashboard, particularly on the Media Library page.

  1. Shortcode/Page: No specific shortcode is needed; the plugin loads on the standard Media Library page (/wp-admin/upload.php).
  2. Navigation: Navigate to the Media Library as an Author user.
  3. Variable Identification: FileBird usually localizes data under the filebird_php_obj or fbv_data JavaScript variable.
  4. Browser Eval:
    // Use browser_eval to find the nonce
    window.filebird_php_obj?.nonce || window.fbv_data?.nonce
    
  5. Action String: The nonce is likely created with the action 'fbv_nonce' or 'filebird_nonce'.

5. Exploitation Strategy

The goal is to trigger the conversion process with a payload that defines a new global folder and reassigns attachments (even those not owned by the Author) to it.

Target URL: http://[target]/wp-admin/admin-ajax.php

Payload Construction:

  • action: fbv_insert_to_new_table (or the specific AJAX action mapped to the function).
  • nonce: [Extracted Nonce]
  • key: A string identifying the "source" plugin to "convert" from. Attackers may need to provide a key that the plugin recognizes (e.g., wpuxo_eml for Enhanced Media Library).
  • folders: (If the function accepts raw folder data) A JSON or array structure defining a folder name.

Example HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=fbv_insert_to_new_table&nonce=[NONCE]&key=wpuxo_eml&new_folders[0][name]=pwned_global_folder&new_folders[0][parent]=0

Note: Since this vulnerability involves "Global Folders Tampering," the exploit likely involves manipulating the conversion logic to treat the Author's input as legitimate migration data that should be applied globally.

6. Test Data Setup

  1. User: Create a user with the Author role.
  2. Media: Upload several images as the Administrator (to ensure the Author does not own them).
  3. Plugin Config: Ensure FileBird is installed and active. It is not necessary for the "source" plugin (e.g., Enhanced Media Library) to actually be installed if the vulnerable function doesn't check for the plugin's presence before attempting database operations based on the key.

7. Expected Results

  • The AJAX response should return a success status (e.g., {"success": true}).
  • A new folder named "pwned_global_folder" (or similar) will appear in the Media Library for all users.
  • Attachments specified in the payload (or all attachments if the "conversion" logic is broad) will be moved into this folder.

8. Verification Steps

  1. Database Check:
    wp db query "SELECT * FROM wp_fbv WHERE name='pwned_global_folder';"
    
    Check if the created_by column is 0 (indicating a global folder) or if it's visible across different user accounts.
  2. Attachment Check:
    Verify the relationship in the mapping table:
    wp db query "SELECT * FROM wp_fbv_attachment_folder WHERE folder_id=(SELECT id FROM wp_fbv WHERE name='pwned_global_folder' LIMIT 1);"
    
  3. UI Check: Log in as a different user (e.g., Editor) and verify the new folder is visible in the Media Library.

9. Alternative Approaches

  • Source Plugin Simulation: If the function requires actual data in the source plugin's tables, use wp db query to manually insert dummy data into the tables expected by the key (e.g., Enhanced Media Library's tables) before calling the FileBird conversion function.
  • Key Fuzzing: If wpuxo_eml is not the correct key, look for other supported plugins in the source code of ConvertController.php (e.g., eml, wpmf, folder, premio).
  • REST API: Check if ConvertController methods are also exposed via the REST API under the wp-json/filebird/v1/ namespace, which might have similar authorization flaws.
Research Findings
Static analysis — not yet PoC-verified

Summary

The FileBird – WordPress Media Library Folders & File Manager plugin is vulnerable to missing authorization in its data conversion logic. Authenticated users with Author-level access or higher can exploit this to create global folders and reassign arbitrary media attachments, potentially disrupting the organization of the entire site's media library.

Vulnerable Code

// FileBird/Controller/ConvertController.php

public function insertToNewTable() {
    check_ajax_referer('fbv_nonce', 'nonce');
    $key = isset($_POST['key']) ? sanitize_text_field($_POST['key']) : '';
    // The function continues to process migration data and insert it into global folder tables
    // without verifying if the user has administrative capabilities (e.g., manage_options).
}

Security Fix

--- a/includes/Controller/ConvertController.php
+++ b/includes/Controller/ConvertController.php
@@ -100,6 +100,9 @@
 	public function insertToNewTable() {
 		check_ajax_referer('fbv_nonce', 'nonce');
 
+		if (!current_user_can('manage_options')) {
+			wp_send_json_error();
+		}
+
 		$key = isset($_POST['key']) ? sanitize_text_field($_POST['key']) : '';

Exploit Outline

An authenticated attacker with at least Author-level permissions can exploit this vulnerability by performing the following steps: 1. Extract the 'fbv_nonce' from the WordPress admin interface (typically found within the 'filebird_php_obj' localized script on the Media Library page). 2. Submit a POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'fbv_insert_to_new_table'. 3. Include the 'key' parameter corresponding to a supported source plugin (e.g., 'wpuxo_eml') and provide folder/attachment data in the payload. Since the controller fails to perform a capability check (like 'current_user_can'), the plugin will process the request and create new global folders or reassign media regardless of the user's restricted permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.