CVE-2025-11510
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-18

Last updated on: 2025-10-21

Assigner: Wordfence

Description
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /filebird/v1/fb-wipe-clear-all-data function in all versions up to, and including, 6.4.9. This makes it possible for authenticated attackers, with author-level access and above, to reset all of the plugin's configuration data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-18
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11510
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence filebird *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the FileBird WordPress plugin allows authenticated users with author-level access or higher to reset all of the plugin's configuration data without proper authorization. This happens because the plugin's /filebird/v1/fb-wipe-clear-all-data function lacks a capability check, enabling unauthorized modification of data.

Impact Analysis

An attacker with author-level access or above can exploit this vulnerability to reset all configuration data of the FileBird plugin. This could disrupt the organization and management of media library folders, potentially causing data loss or requiring reconfiguration, impacting site functionality and user experience.

Detection Guidance

You can detect this vulnerability by checking if the /filebird/v1/fb-wipe-clear-all-data endpoint is accessible and can be triggered by users with author-level access or above without proper capability checks. Since the vulnerability involves missing permission checks, you can test by attempting to call this REST API endpoint with an authenticated user having author-level permissions and observe if the plugin's configuration data can be reset. Specific commands would involve using curl or similar tools to send authenticated POST requests to the endpoint. For example: curl -X POST -H "Authorization: Bearer <token>" https://yourwordpresssite.com/wp-json/filebird/v1/fb-wipe-clear-all-data. If the request succeeds without proper authorization errors, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include updating the FileBird plugin to a version that includes the fix, which enforces capability checks (manage_options) before allowing data clearance operations. If an update is not immediately available, restrict author-level users from accessing the vulnerable endpoint or disable the plugin temporarily. Additionally, monitor and audit user activities related to the /filebird/v1/fb-wipe-clear-all-data endpoint to detect unauthorized attempts. The fix involves adding permission checks as shown in the changeset that verifies the user has the 'manage_options' capability before allowing data deletion. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11510. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart