CVE-2025-14508
Unauthorized Data Deletion in MediaCommander WordPress Plugin
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | mediacommander | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the MediaCommander β Bring Folders to Media, Posts, and Pages plugin for WordPress, where the import-csv REST API endpoint lacks a proper capability check. It incorrectly uses the 'upload_files' capability (Author level) for an operation that can delete all folders. As a result, any authenticated user with Author-level access or higher can delete all folder organization data created by Administrators and other users.
How can this vulnerability impact me? :
The vulnerability allows authenticated users with Author-level access or higher to delete all folder organization data within the plugin. This can lead to loss of important organizational data, disruption of content management, and potential operational issues on the affected WordPress site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately restrict Author-level users from accessing the import-csv REST API endpoint or disable the MediaCommander plugin until a patched version beyond 2.3.1 is available. Additionally, review and limit user capabilities to prevent unauthorized data deletion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Author-level access to delete all folder organization data created by Administrators and other users without proper authorization checks. This unauthorized data deletion could lead to loss of important user or organizational data, potentially impacting compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding data integrity and preventing unauthorized data manipulation or deletion. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [4, 3, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability on your system, you can monitor REST API requests to the MediaCommander plugin's import-csv endpoint and check for unauthorized deletion attempts. Specifically, look for authenticated requests made by users with Author-level access or higher to the import-csv REST API endpoint. Additionally, monitoring for unusual folder deletion activities or unexpected changes in folder organization data can indicate exploitation attempts. Since the vulnerability involves misuse of the 'upload_files' capability for destructive operations, auditing user actions with this capability is recommended. As for commands, you can use tools like curl or WP-CLI to simulate or log REST API calls. For example, to check if the import-csv endpoint is accessible and potentially vulnerable, you might run a curl command like: curl -X POST -H "Authorization: Bearer <token>" https://yourwordpresssite.com/wp-json/mediacommander/v1/import-csv -d @file.csv -- but only with authorized tokens. Also, reviewing server logs for POST requests to the import-csv endpoint by Author-level users can help detect exploitation. However, no specific detection commands are provided in the resources.