vulnerability
WordPress Plugin: mediacommander: CVE-2025-14508: Missing Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:N/I:C/A:N) | Dec 12, 2025 | Dec 15, 2025 | Dec 15, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:N/I:C/A:N)
Published
Dec 12, 2025
Added
Dec 15, 2025
Modified
Dec 15, 2025
Description
The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users.
Solution
mediacommander-plugin-cve-2025-14508
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.