{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1883", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T13:48:43.162Z", "datePublished": "2026-03-15T01:19:05.803Z", "dateUpdated": "2026-04-08T16:55:43.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:43.918Z"}, "affected": [{"vendor": "wickedplugins", "product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."}], "title": "Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-02-04T15:27:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-14T13:11:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:14:30.706921Z", "id": "CVE-2026-1883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:15:04.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:14:30.706921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:14:36.354Z"}}], "cna": {"title": "Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wickedplugins", "product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-04T15:27:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-14T13:11:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"}], "descriptions": [{"lang": "en", "value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:43.918Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1883", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:43.918Z", "dateReserved": "2026-02-04T13:48:43.162Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-15T01:19:05.803Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."}, {"lang": "es", "value": "El plugin Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 4.1.0, inclusive, a trav\u00e9s de la funci\u00f3n delete_folders() debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, eliminar carpetas arbitrarias creadas por otros usuarios."}], "id": "CVE-2026-1883", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:08.200", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types", "source": "cna", "vendor": "wickedplugins"}, "product": "wicked_folders_\u2013_folder_organizer_for_pages,_posts,_and_custom_post_types", "vendor": "wickedplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-16T23:00:53.165467+00:00", "value": {"mitigation_remediation": ["Update the Wicked Folders plugin to the latest available version (any release newer than 4.1.0).", "If an update cannot be performed immediately, remove the folder deletion capability from Contributor or higher roles by adjusting the plugin\u2019s permission settings in WordPress."], "summary": {"action": "Patch Now", "impact": "Unauthorized Deletion of User-Generated Folders"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all installations of the Wicked Folders plugin for WordPress with version 4.1.0 or earlier. The affected vendor is wickedplugins, which distributes the organized page, post, and custom post type folders within WordPress sites.", "description_and_impact": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress suffers from an Insecure Direct Object Reference in the delete_folders() function due to missing validation on a user-controlled parameter. This flaw allows an authenticated user with Contributor-level access or higher to delete any folder created by another user, effectively erasing user content and harming data integrity and availability. The flaw is classified as CWE\u2011639 (Indirect Control Flow Transfer).", "risk_and_exploitability": "The CVSS v3.1 score of 4.3 indicates moderate risk, and the EPSS score of less than 1\u202f% suggests that exploitation is unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. Attackers must authenticate to the site and possess a Wordpress role equal to or higher than Contributor to exploit the flaw, making it an authenticated, privilege\u2011escalated vulnerability rather than a remote code execution. Given the limited exploitation probability, but potential for data loss, administrators should consider this a risk requiring timely patching."}}}}, "created": "2026-03-16T09:22:15.334774+00:00", "updated": "2026-03-23T13:39:02.061289+00:00", "vendors": ["wickedplugins", "wickedplugins$PRODUCT$wicked_folders_\u2013_folder_organizer_for_pages,_posts,_and_custom_post_types", "wordpress", "wordpress$PRODUCT$wordpress"]}