Refine your search
5 vulnerabilities found for by NinjaTeam
CVE-2025-66134 (GCVE-0-2025-66134)
Vulnerability from cvelistv5
Published
2025-12-16 08:12
Modified
2025-12-16 16:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through <= 6.4.9.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| NinjaTeam | FileBird Pro |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-66134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T16:49:45.350361Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T16:49:54.319Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "filebird-pro",
"product": "FileBird Pro",
"vendor": "NinjaTeam",
"versions": [
{
"lessThanOrEqual": "\u003c= 6.4.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2025-12-15T22:03:25.965Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects FileBird Pro: from n/a through \u003c= 6.4.9.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through \u003c= 6.4.9."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T08:12:55.088Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/filebird-pro/vulnerability/wordpress-filebird-pro-plugin-6-4-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress FileBird Pro plugin \u003c= 6.4.9 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-66134",
"datePublished": "2025-12-16T08:12:55.088Z",
"dateReserved": "2025-11-21T11:23:00.557Z",
"dateUpdated": "2025-12-16T16:49:54.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12900 (GCVE-0-2025-12900)
Vulnerability from cvelistv5
Published
2025-12-15 14:25
Modified
2025-12-15 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ninjateam | FileBird – WordPress Media Library Folders & File Manager |
Version: * ≤ 6.5.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T15:42:27.246334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:45:22.141Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FileBird \u2013 WordPress Media Library Folders \u0026 File Manager",
"vendor": "ninjateam",
"versions": [
{
"lessThanOrEqual": "6.5.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FileBird \u2013 WordPress Media Library Folders \u0026 File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the \"ConvertController::insertToNewTable\" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T14:25:11.213Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59592b27-d431-499a-b3c3-3d43a5513c36?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3411587"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-01T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-07T19:51:57.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-15T02:12:47.000+00:00",
"value": "Disclosed"
}
],
"title": "FileBird \u2013 WordPress Media Library Folders \u0026 File Manager \u003c= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12900",
"datePublished": "2025-12-15T14:25:11.213Z",
"dateReserved": "2025-11-07T19:36:21.772Z",
"dateUpdated": "2025-12-15T15:45:22.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12481 (GCVE-0-2025-12481)
Vulnerability from cvelistv5
Published
2025-11-18 09:27
Modified
2025-11-18 21:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ninjateam | WP Duplicate Page |
Version: * ≤ 1.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T21:01:29.626211Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T21:02:09.424Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Duplicate Page",
"vendor": "ninjateam",
"versions": [
{
"lessThanOrEqual": "1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \u0027saveSettings\u0027 function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T09:27:38.298Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/61105f6a-1bd7-415d-9481-a1c2c310f778?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Page/Settings.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-duplicate-page/tags/1.6/includes/Classes/ButtonDuplicate.php#L137"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394773%40wp-duplicate-page%2Ftrunk\u0026old=3386144%40wp-duplicate-page%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-04T05:28:17.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-17T21:24:11.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Duplicate Page \u003c= 1.7 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12481",
"datePublished": "2025-11-18T09:27:38.298Z",
"dateReserved": "2025-10-29T17:11:16.657Z",
"dateUpdated": "2025-11-18T21:02:09.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11510 (GCVE-0-2025-11510)
Vulnerability from cvelistv5
Published
2025-10-18 06:42
Modified
2025-10-20 19:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /filebird/v1/fb-wipe-clear-all-data function in all versions up to, and including, 6.4.9. This makes it possible for authenticated attackers, with author-level access and above, to reset all of the plugin's configuration data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ninjateam | FileBird – WordPress Media Library Folders & File Manager |
Version: * ≤ 6.4.9 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-20T19:01:50.915963Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-20T19:02:03.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FileBird \u2013 WordPress Media Library Folders \u0026 File Manager",
"vendor": "ninjateam",
"versions": [
{
"lessThanOrEqual": "6.4.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "fuchong jun"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FileBird \u2013 WordPress Media Library Folders \u0026 File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /filebird/v1/fb-wipe-clear-all-data function in all versions up to, and including, 6.4.9. This makes it possible for authenticated attackers, with author-level access and above, to reset all of the plugin\u0027s configuration data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-18T06:42:47.037Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60ed7738-5cba-4fc0-9178-265773555369?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3379856/filebird/trunk/includes/Classes/Convert.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-08T15:21:55.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-17T18:24:12.000+00:00",
"value": "Disclosed"
}
],
"title": "FileBird \u003c= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11510",
"datePublished": "2025-10-18T06:42:47.037Z",
"dateReserved": "2025-10-08T15:06:17.946Z",
"dateUpdated": "2025-10-20T19:02:03.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2345 (GCVE-0-2024-2345)
Vulnerability from cvelistv5
Published
2024-05-02 16:51
Modified
2025-12-17 18:22
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to, and including, 5.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ninjateam | FileBird – WordPress Media Library Folders & File Manager |
Version: * ≤ 5.6.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2345",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T17:42:28.753838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-17T18:22:29.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:11:53.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/129cc3b0-4f48-4846-902e-be5cd339f537?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3060898%40filebird%2Ftrunk\u0026old=3049188%40filebird%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FileBird \u2013 WordPress Media Library Folders \u0026 File Manager",
"vendor": "ninjateam",
"versions": [
{
"lessThanOrEqual": "5.6.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FileBird \u2013 WordPress Media Library Folders \u0026 File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the folder name parameter in all versions up to, and including, 5.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-02T16:51:46.891Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/129cc3b0-4f48-4846-902e-be5cd339f537?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3060898%40filebird%2Ftrunk\u0026old=3049188%40filebird%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-16T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2345",
"datePublished": "2024-05-02T16:51:46.891Z",
"dateReserved": "2024-03-08T22:15:29.374Z",
"dateUpdated": "2025-12-17T18:22:29.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}