Medium severity6.5NVD Advisory· Published Dec 13, 2025· Updated Apr 15, 2026

CVE-2025-14508

Description

The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using upload_files capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.phpnvd
plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.phpnvd
plugins.trac.wordpress.org/changeset/3417928/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000