CVE-2025-12640 in Folders Plugin
Summary
by MITRE • 01/08/2026
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/09/2026
The vulnerability identified as CVE-2025-12640 affects the Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress, representing a critical authorization flaw that undermines the security of media library operations. This issue exists within all versions up to and including 3.1.5, making it a widespread concern for WordPress installations that utilize this plugin. The vulnerability stems from inadequate object-level authorization checks within the handle_folders_file_upload() function, which is responsible for processing file uploads within the plugin's media management capabilities. The flaw allows authenticated attackers who possess Author-level privileges or higher to exploit this weakness and replace any media file within the WordPress Media Library without proper authorization.
The technical nature of this vulnerability aligns with CWE-863, which describes "Incorrect Authorization" where an attacker can perform actions they should not be permitted to do due to insufficient authorization checks. The handle_folders_file_upload() function fails to verify whether the authenticated user has legitimate authorization to modify specific media files within the library, creating a pathway for unauthorized file replacement operations. This authorization bypass occurs because the function does not validate the relationship between the requesting user and the target media file, essentially allowing any user with Author-level access to manipulate files they should not be able to modify. The vulnerability operates at the application level and specifically targets WordPress's media library functionality, which is a core component of content management systems.
From an operational perspective, this vulnerability presents a significant risk to WordPress installations as it enables attackers to replace legitimate media files with malicious content, potentially leading to various security incidents. An attacker with Author-level access could replace critical images, documents, or media assets with malware, phishing content, or other malicious files that could compromise the website's integrity and potentially affect visitors. The impact extends beyond simple file replacement as it can facilitate further attacks including cross-site scripting, malware distribution, and social engineering campaigns that leverage the compromised media files. The vulnerability is particularly concerning because it does not require elevated privileges beyond Author level, making it accessible to users who typically have limited administrative capabilities within WordPress.
The security implications of this vulnerability are exacerbated by the fact that it operates silently without detection mechanisms, allowing attackers to replace files without triggering any alerts or audit trails that would normally indicate unauthorized modifications. This makes the vulnerability particularly dangerous for content management systems where media files are frequently updated and monitored. Organizations using this plugin are at risk of having their media libraries corrupted, which could affect website functionality, user experience, and potentially lead to more severe consequences if malicious files are successfully loaded into the system. The vulnerability also creates opportunities for attackers to establish persistent access points through compromised media files that could be used for ongoing exploitation.
Mitigation strategies for this vulnerability should include immediate plugin updates to versions that address the authorization flaw, as well as implementing additional security measures such as role-based access controls and monitoring for unauthorized file modifications. Organizations should conduct comprehensive security audits of their WordPress installations to identify all instances of the vulnerable plugin and ensure that proper access controls are implemented. The recommended approach involves upgrading to the latest plugin version that includes proper authorization checks in the handle_folders_file_upload() function, which would enforce object-level authorization for all file replacement operations. Additionally, implementing network monitoring and file integrity checking mechanisms can help detect potential exploitation attempts and provide early warning of unauthorized modifications to the media library. The remediation process should also include reviewing user access permissions to ensure that only necessary personnel have Author-level or higher privileges within the WordPress environment.