CVE-2025-66134

MEDIUM
2025-12-16 [email protected]
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 16, 2025 - 09:15 nvd
MEDIUM 5.4

Tags

WordPress PHP Authentication Bypass

Description

Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through <= 6.5.1.

Analysis

Missing authorization in NinjaTeam FileBird Pro WordPress plugin versions up to 6.5.1 allows authenticated users to access and modify files they should not have permission to view or edit due to incorrectly configured access control security levels. The vulnerability requires valid user credentials but can lead to disclosure and modification of sensitive files within the plugin's file management interface. EPSS exploitation probability is low at 0.04%, and no public exploit code has been identified at the time of analysis.

Technical Context

FileBird Pro is a WordPress plugin that manages file organization and access control within WordPress environments. The vulnerability stems from CWE-862 (Missing Authorization), which occurs when the plugin fails to properly enforce access control checks before allowing users to perform sensitive operations. The plugin's access control mechanism does not adequately validate whether an authenticated user has explicit permission to view or modify specific files and folders, allowing privilege escalation within the plugin's permission model. This is distinct from authentication failures - the user is authenticated to WordPress, but the plugin's internal authorization logic is broken.

Affected Products

NinjaTeam FileBird Pro WordPress plugin is affected in versions from an unspecified starting point through 6.5.1. The plugin is distributed via WordPress.org and commercial channels. According to the Patchstack reference, version 6.4.9 was identified as vulnerable, and the vulnerability extends through at least 6.5.1. CPE specifics are not available from provided data, but the plugin can be identified by slug 'filebird-pro' in WordPress plugin repositories.

Remediation

Update NinjaTeam FileBird Pro to a version newer than 6.5.1 where the authorization checks have been properly implemented. Users should check the official NinjaTeam FileBird Pro repository or their plugin update dashboard for the latest available version that addresses this vulnerability. Until patching is possible, WordPress administrators should audit and restrict authentication-level user accounts (subscribers and above) who have access to FileBird Pro's file management interface. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/filebird-pro/vulnerability/wordpress-filebird-pro-plugin-6-4-9-broken-access-control-vulnerability?_s_id=cve contains additional technical details and may provide a specific patched version number.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

CVE-2025-66134 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy