PT-2026-25528 · Wickedplugins · Wicked Folders – Folder Organizer For Pages
Youssef Elouaer
·
Published
2026-03-15
·
Updated
2026-03-16
·
CVE-2026-1883
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types versions prior to 4.1.1
Description
The Wicked Folders plugin for WordPress is susceptible to an Insecure Direct Object Reference issue in versions up to and including 4.1.0. This is due to a lack of validation on a user-controlled key within the
delete folders() function. Authenticated attackers with Contributor-level access or higher can exploit this to delete folders created by other users. The delete folders() function is the component directly involved in this issue.Recommendations
Update Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types to version 4.1.1 or later.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wicked Folders – Folder Organizer For Pages