Medium severity6.5NVD Advisory· Published Dec 13, 2025· Updated Apr 15, 2026
CVE-2025-14508
CVE-2025-14508
Description
The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using upload_files capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2.3.1
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Models/FoldersModel.phpnvd
- plugins.trac.wordpress.org/browser/mediacommander/trunk/includes/Rest/Controllers/FoldersController.phpnvd
- plugins.trac.wordpress.org/changeset/3417928/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9102fe7e-7baa-4bc0-879f-cc7df1ea13d2nvd
News mentions
0No linked articles in our index yet.