Skip to main content

NinjaTeam FileBird Pro CVE-2025-66134

MEDIUM
Missing Authorization (CWE-862)
2025-12-16 audit@patchstack.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.4

DescriptionCVE.org

Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through <= 6.5.1.

AnalysisAI

Missing authorization in NinjaTeam FileBird Pro WordPress plugin versions up to 6.5.1 allows authenticated users to access and modify files they should not have permission to view or edit due to incorrectly configured access control security levels. The vulnerability requires valid user credentials but can lead to disclosure and modification of sensitive files within the plugin's file management interface. EPSS exploitation probability is low at 0.04%, and no public exploit code has been identified at the time of analysis.

Technical ContextAI

FileBird Pro is a WordPress plugin that manages file organization and access control within WordPress environments. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the plugin fails to properly enforce access control checks before allowing users to perform sensitive operations. The plugin's access control mechanism does not adequately validate whether an authenticated user has explicit permission to view or modify specific files and folders, allowing privilege escalation within the plugin's permission model. This is distinct from authentication failures - the user is authenticated to WordPress, but the plugin's internal authorization logic is broken.

Affected ProductsAI

NinjaTeam FileBird Pro WordPress plugin is affected in versions from an unspecified starting point through 6.5.1. The plugin is distributed via WordPress.org and commercial channels. According to the Patchstack reference, version 6.4.9 was identified as vulnerable, and the vulnerability extends through at least 6.5.1. CPE specifics are not available from provided data, but the plugin can be identified by slug 'filebird-pro' in WordPress plugin repositories.

RemediationAI

Update NinjaTeam FileBird Pro to a version newer than 6.5.1 where the authorization checks have been properly implemented. Users should check the official NinjaTeam FileBird Pro repository or their plugin update dashboard for the latest available version that addresses this vulnerability. Until patching is possible, WordPress administrators should audit and restrict authentication-level user accounts (subscribers and above) who have access to FileBird Pro's file management interface. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/filebird-pro/vulnerability/wordpress-filebird-pro-plugin-6-4-9-broken-access-control-vulnerability?_s_id=cve contains additional technical details and may provide a specific patched version number.

Share

CVE-2025-66134 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy