{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-29T11:27:40.849","vulnerabilities":[{"cve":{"id":"CVE-2025-12640","sourceIdentifier":"security@wordfence.com","published":"2026-01-08T03:15:42.873","lastModified":"2026-06-17T08:32:43.647","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Replacement in all versions up to, and including, 3.1.5. This is due to missing object-level authorization checks in the handle_folders_file_upload() function. This makes it possible for authenticated attackers, with Author-level access and above, to replace arbitrary media files from the WordPress Media Library."},{"lang":"es","value":"El plugin Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager para WordPress es vulnerable a Reemplazo Arbitrario de Medios No Autorizado en todas las versiones hasta la 3.1.5, inclusive. Esto se debe a la falta de comprobaciones de autorización a nivel de objeto en la función handle_folders_file_upload(). Esto hace posible que atacantes autenticados, con acceso de nivel Autor y superior, reemplacen archivos multimedia arbitrarios de la biblioteca de medios de WordPress."}],"affected":[{"source":"security@wordfence.com","affectedData":[{"vendor":"premio","product":"Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager","defaultStatus":"unaffected","versions":[{"version":"0","lessThanOrEqual":"3.1.5","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-08T16:19:58.182067Z","id":"CVE-2025-12640","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/changeset/3402986/folders/tags/3.1.6/includes/media.replace.php","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/ac6432a4-6597-4d1e-b63d-c007a301d1b2?source=cve","source":"security@wordfence.com"}]}}]}