CVE-2025-14508

Name of the Vulnerable Software and Affected Versions MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress versions prior to 2.3.2

Description The MediaCommander plugin for WordPress is susceptible to unauthorized data deletion. This occurs because of a missing capability check on the import-csv API endpoint. The endpoint incorrectly uses the upload files capability check (Author level) for an operation that can delete all folders. Authenticated attackers with Author-level access or higher can delete folder organization data created by Administrators and other users. The vulnerable API endpoint is /import-csv.

Recommendations Versions prior to 2.3.2 should be updated.