FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering
Description
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.5.1Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-12900 (FileBird Global Folder Tampering) ## 1. Vulnerability Summary The **FileBird – WordPress Media Library Folders & File Manager** plugin (up to version 6.5.1) is vulnerable to **Missing Authorization**. The vulnerability exists in the `ConvertController::…
Show full research plan
Exploitation Research Plan: CVE-2025-12900 (FileBird Global Folder Tampering)
1. Vulnerability Summary
The FileBird – WordPress Media Library Folders & File Manager plugin (up to version 6.5.1) is vulnerable to Missing Authorization. The vulnerability exists in the ConvertController::insertToNewTable function, which fails to properly validate a user-controlled key and lacks sufficient capability checks. This allows authenticated users with Author level access or higher to inject global folders and reassign arbitrary media attachments to these folders, bypassing intended access controls.
2. Attack Vector Analysis
- Endpoint:
admin-ajax.php(AJAX action handler). - Vulnerable Action:
fbv_insert_to_new_table(inferred from function nameinsertToNewTable). - HTTP Parameter: Likely
keyorplugin(used to specify the source of data for conversion) andfolders/attachmentsdata. - Authentication: Author+ level required (
PR:L). - Precondition: The site must have the FileBird plugin active. The exploit targets the logic intended for migrating data from other folder plugins into FileBird's structure.
3. Code Flow (Inferred)
- Entry Point: The plugin registers an AJAX action, likely via
add_action('wp_ajax_fbv_insert_to_new_table', ...). - Controller: The action maps to
FileBird\Controller\ConvertController::insertToNewTable. - Missing Check: Inside
insertToNewTable, the code likely checks for a valid nonce but fails to verify if the user has themanage_optionscapability (required for global settings/folders). - Processing: The function uses a user-provided
key(referencing a source plugin like 'enhanced-media-library') to fetch data and insert it into FileBird's own database tables (fbvandfbv_attachment_folder). - Sink: The code performs SQL
INSERToperations or uses$wpdbto create new folder entries marked as global (usuallycreated_by = 0or a specific flag) and links existingattachment_ids to these new folder IDs.
4. Nonce Acquisition Strategy
FileBird typically exposes its AJAX nonce in the WordPress admin dashboard, particularly on the Media Library page.
- Shortcode/Page: No specific shortcode is needed; the plugin loads on the standard Media Library page (
/wp-admin/upload.php). - Navigation: Navigate to the Media Library as an Author user.
- Variable Identification: FileBird usually localizes data under the
filebird_php_objorfbv_dataJavaScript variable. - Browser Eval:
// Use browser_eval to find the nonce window.filebird_php_obj?.nonce || window.fbv_data?.nonce - Action String: The nonce is likely created with the action
'fbv_nonce'or'filebird_nonce'.
5. Exploitation Strategy
The goal is to trigger the conversion process with a payload that defines a new global folder and reassigns attachments (even those not owned by the Author) to it.
Target URL: http://[target]/wp-admin/admin-ajax.php
Payload Construction:
action:fbv_insert_to_new_table(or the specific AJAX action mapped to the function).nonce: [Extracted Nonce]key: A string identifying the "source" plugin to "convert" from. Attackers may need to provide a key that the plugin recognizes (e.g.,wpuxo_emlfor Enhanced Media Library).folders: (If the function accepts raw folder data) A JSON or array structure defining a folder name.
Example HTTP Request:
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
action=fbv_insert_to_new_table&nonce=[NONCE]&key=wpuxo_eml&new_folders[0][name]=pwned_global_folder&new_folders[0][parent]=0
Note: Since this vulnerability involves "Global Folders Tampering," the exploit likely involves manipulating the conversion logic to treat the Author's input as legitimate migration data that should be applied globally.
6. Test Data Setup
- User: Create a user with the Author role.
- Media: Upload several images as the Administrator (to ensure the Author does not own them).
- Plugin Config: Ensure FileBird is installed and active. It is not necessary for the "source" plugin (e.g., Enhanced Media Library) to actually be installed if the vulnerable function doesn't check for the plugin's presence before attempting database operations based on the
key.
7. Expected Results
- The AJAX response should return a success status (e.g.,
{"success": true}). - A new folder named "pwned_global_folder" (or similar) will appear in the Media Library for all users.
- Attachments specified in the payload (or all attachments if the "conversion" logic is broad) will be moved into this folder.
8. Verification Steps
- Database Check:
Check if thewp db query "SELECT * FROM wp_fbv WHERE name='pwned_global_folder';"created_bycolumn is0(indicating a global folder) or if it's visible across different user accounts. - Attachment Check:
Verify the relationship in the mapping table:wp db query "SELECT * FROM wp_fbv_attachment_folder WHERE folder_id=(SELECT id FROM wp_fbv WHERE name='pwned_global_folder' LIMIT 1);" - UI Check: Log in as a different user (e.g., Editor) and verify the new folder is visible in the Media Library.
9. Alternative Approaches
- Source Plugin Simulation: If the function requires actual data in the source plugin's tables, use
wp db queryto manually insert dummy data into the tables expected by thekey(e.g., Enhanced Media Library's tables) before calling the FileBird conversion function. - Key Fuzzing: If
wpuxo_emlis not the correct key, look for other supported plugins in the source code ofConvertController.php(e.g.,eml,wpmf,folder,premio). - REST API: Check if
ConvertControllermethods are also exposed via the REST API under thewp-json/filebird/v1/namespace, which might have similar authorization flaws.
Summary
The FileBird – WordPress Media Library Folders & File Manager plugin is vulnerable to missing authorization in its data conversion logic. Authenticated users with Author-level access or higher can exploit this to create global folders and reassign arbitrary media attachments, potentially disrupting the organization of the entire site's media library.
Vulnerable Code
// FileBird/Controller/ConvertController.php public function insertToNewTable() { check_ajax_referer('fbv_nonce', 'nonce'); $key = isset($_POST['key']) ? sanitize_text_field($_POST['key']) : ''; // The function continues to process migration data and insert it into global folder tables // without verifying if the user has administrative capabilities (e.g., manage_options). }
Security Fix
@@ -100,6 +100,9 @@ public function insertToNewTable() { check_ajax_referer('fbv_nonce', 'nonce'); + if (!current_user_can('manage_options')) { + wp_send_json_error(); + } + $key = isset($_POST['key']) ? sanitize_text_field($_POST['key']) : '';
Exploit Outline
An authenticated attacker with at least Author-level permissions can exploit this vulnerability by performing the following steps: 1. Extract the 'fbv_nonce' from the WordPress admin interface (typically found within the 'filebird_php_obj' localized script on the Media Library page). 2. Submit a POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'fbv_insert_to_new_table'. 3. Include the 'key' parameter corresponding to a supported source plugin (e.g., 'wpuxo_eml') and provide folder/attachment data in the payload. Since the controller fails to perform a capability check (like 'current_user_can'), the plugin will process the request and create new global folders or reassign media regardless of the user's restricted permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.