CVE-2026-1883
Awaiting Analysis Awaiting Analysis - Queue
Insecure Direct Object Reference in Wicked Folders Plugin Allows Folder Deletion

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: Wordfence

Description
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1883
EUVD
EUVD-2026-12198
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wicked_folders wicked_folders to 4.1.0 (inc)
wicked_folders folder_organizer_for_pages_posts_and_custom_post_types to 4.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Executive Summary

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress has a vulnerability known as Insecure Direct Object Reference (IDOR) in all versions up to and including 4.1.0. This vulnerability exists in the delete_folders() function because it lacks proper validation on a user-controlled key.

As a result, authenticated users with Contributor-level access or higher can exploit this flaw to delete arbitrary folders created by other users, bypassing intended permission restrictions.

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to delete folders created by other users within the Wicked Folders plugin. This can lead to unauthorized data loss or disruption of content organization within a WordPress site.

Since the vulnerability does not affect confidentiality or availability directly (CVSS Impact: No Confidentiality or Availability impact, only Integrity is impacted), the main impact is the unauthorized modification (deletion) of folder data, which could disrupt workflows or content management.

Detection Guidance

Detection of this vulnerability involves checking if the Wicked Folders plugin version is 4.1.0 or earlier, as these versions lack proper permission checks in the delete_folders() function.

Since the vulnerability allows authenticated users with Contributor-level access or higher to delete arbitrary folders, monitoring for unexpected folder deletion events by such users can help detect exploitation attempts.

There are no specific network commands provided in the resources, but you can check the installed plugin version via WordPress CLI:

  • wp plugin list | grep wicked-folders

Additionally, reviewing WordPress logs or database entries for folder deletions by users with Contributor or higher roles may help detect exploitation.

Mitigation Strategies

The immediate mitigation step is to update the Wicked Folders plugin to version 4.1.1 or later, which includes enhanced permission checks preventing unauthorized folder deletions.

This update enforces proper capability checks such as delete_term permissions on folder taxonomy terms, blocking contributors from deleting folders they do not own.

If updating immediately is not possible, restrict Contributor-level users from accessing folder deletion features or temporarily downgrade their permissions until the patch can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1883. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart