CVE-2026-1883
Insecure Direct Object Reference in Wicked Folders Plugin Allows Folder Deletion
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wicked_folders | wicked_folders | to 4.1.0 (inc) |
| wicked_folders | folder_organizer_for_pages_posts_and_custom_post_types | to 4.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Wicked Folders β Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress has a vulnerability known as Insecure Direct Object Reference (IDOR) in all versions up to and including 4.1.0. This vulnerability exists in the delete_folders() function because it lacks proper validation on a user-controlled key.
As a result, authenticated users with Contributor-level access or higher can exploit this flaw to delete arbitrary folders created by other users, bypassing intended permission restrictions.
How can this vulnerability impact me? :
This vulnerability allows attackers with Contributor-level access or above to delete folders created by other users within the Wicked Folders plugin. This can lead to unauthorized data loss or disruption of content organization within a WordPress site.
Since the vulnerability does not affect confidentiality or availability directly (CVSS Impact: No Confidentiality or Availability impact, only Integrity is impacted), the main impact is the unauthorized modification (deletion) of folder data, which could disrupt workflows or content management.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Wicked Folders plugin version is 4.1.0 or earlier, as these versions lack proper permission checks in the delete_folders() function.
Since the vulnerability allows authenticated users with Contributor-level access or higher to delete arbitrary folders, monitoring for unexpected folder deletion events by such users can help detect exploitation attempts.
There are no specific network commands provided in the resources, but you can check the installed plugin version via WordPress CLI:
- wp plugin list | grep wicked-folders
Additionally, reviewing WordPress logs or database entries for folder deletions by users with Contributor or higher roles may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Wicked Folders plugin to version 4.1.1 or later, which includes enhanced permission checks preventing unauthorized folder deletions.
This update enforces proper capability checks such as delete_term permissions on folder taxonomy terms, blocking contributors from deleting folders they do not own.
If updating immediately is not possible, restrict Contributor-level users from accessing folder deletion features or temporarily downgrade their permissions until the patch can be applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know