{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14508", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-11T01:17:23.655Z", "datePublished": "2025-12-13T04:31:29.716Z", "dateUpdated": "2026-04-08T17:06:51.974Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:51.974Z"}, "affected": [{"vendor": "yalogica", "product": "MediaCommander \u2013 Bring Folders to Media, Posts, and Pages", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MediaCommander \u2013 Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users."}], "title": "MediaCommander \u2013 Bring Folders to Media, Posts, and Pages <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.php#L127"}, {"url": "https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.php#L793"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417928/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "timeline": [{"time": "2025-12-12T16:18:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:43:16.467349Z", "id": "CVE-2025-14508", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:47:21.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14508", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:43:16.467349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:43:17.634Z"}}], "cna": {"title": "MediaCommander \u2013 Bring Folders to Media, Posts, and Pages <= 2.3.1 - Missing Authorization to Authenticated (Author+) Media Folder Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "yalogica", "product": "MediaCommander \u2013 Bring Folders to Media, Posts, and Pages", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-12T16:18:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.php#L127"}, {"url": "https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.php#L793"}, {"url": "https://plugins.trac.wordpress.org/changeset/3417928/"}], "descriptions": [{"lang": "en", "value": "The MediaCommander \u2013 Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-13T04:31:29.716Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14508", "state": "PUBLISHED", "dateUpdated": "2025-12-15T15:47:21.997Z", "dateReserved": "2025-12-11T01:17:23.655Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-13T04:31:29.716Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MediaCommander \u2013 Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users."}], "id": "CVE-2025-14508", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-13T16:16:50.953", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.php#L793"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.php#L127"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3417928/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:10:30.770784+00:00", "value": {"mitigation_remediation": ["Upgrade the MediaCommander plugin to version 2.3.2 or later, which implements proper capability checks for folder deletion operations.", "If an upgrade is not immediately possible, restrict Authors from using the CSV import feature by adjusting role capabilities or disabling the endpoint through plugin settings or a custom snippet.", "Monitor WordPress REST API logs for unusual folder deletion requests and verify that only authorized administrators perform such actions."], "summary": {"action": "Apply Patch", "impact": "Unauthorized deletion of media folder organization data by authenticated users with Author-level access"}, "threat_synthesis": {"affected_systems": "All installations of the MediaCommander \u2013 Bring Folders to Media, Posts, and Pages plugin built by yalogica, currently affected by versions through 2.3.1 inclusive. Any site running one of these versions is at risk.", "description_and_impact": "The MediaCommander plugin allows authenticated users who have Author privileges or higher to delete all media folder organization data via the import-csv REST API endpoint. This occurs because the endpoint performs the deletion with an upload_files capability check, which is insufficient for a destructive operation. As a result, an attacker can erase the folder structure set up by administrators and other users, causing loss of organization, potential disruption to media management, and administrative overhead.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5, indicating moderate severity, while the EPSS score of < 1% suggests a very low exploitation probability in the general population. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the authenticated REST API endpoint import-csv; an attacker must first obtain Author or higher credentials to exploit the missing capability check. If successful, the attacker can delete all folder organization data, but cannot achieve further privilege escalation or code execution solely through this flaw."}}}}, "created": "2025-12-14T21:14:50.762796+00:00", "updated": "2026-04-21T17:15:25.337072+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}