CVE-2025-12038 is an authorization vulnerability classified under CWE-863 found in the Folderly plugin for WordPress, specifically affecting all versions up to 0.3. The vulnerability arises due to an insufficient capability check on the REST API endpoint /wp-json/folderly/v1/config/clear-all-data. This endpoint allows authenticated users with Author-level privileges or higher to invoke a function that clears all data managed by the plugin, including terms and categories, without proper authorization validation. The flaw does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges (Author role), and results in limited integrity impact without affecting confidentiality or availability. No known exploits have been reported in the wild, and no patches have been released yet. The vulnerability compromises data integrity by enabling unauthorized modification or deletion of taxonomy data, which can disrupt website content organization and management. Since Folderly is a WordPress plugin, the scope includes any WordPress site using this plugin version. The vulnerability highlights the importance of strict capability checks on REST API endpoints, especially those that perform destructive operations.

For European organizations, this vulnerability poses a risk primarily to the integrity of website content and taxonomy data managed via the Folderly plugin. Unauthorized clearing of terms and categories can lead to significant disruption in content management workflows, SEO impacts, and potential downtime or degraded user experience on affected websites. Organizations relying on WordPress for critical content delivery, e-commerce, or customer engagement may face operational challenges. Although the vulnerability does not directly impact confidentiality or availability, the loss or corruption of structured content data can indirectly affect business continuity and reputation. Attackers with Author-level access, which may be obtained through compromised credentials or insider threats, can exploit this flaw to sabotage site content. The lack of known exploits reduces immediate risk, but the absence of patches means the vulnerability remains open. European entities with extensive WordPress deployments, especially those using Folderly for content taxonomy management, should consider this a moderate threat to their web infrastructure integrity.

1. Immediately audit user roles and permissions on WordPress sites using the Folderly plugin to ensure that only trusted users have Author-level or higher privileges. 2. Restrict access to the REST API endpoint /wp-json/folderly/v1/config/clear-all-data by implementing additional access controls such as IP whitelisting or custom capability checks via WordPress hooks or firewall rules. 3. Monitor logs for unusual API calls to the affected endpoint to detect potential exploitation attempts. 4. Disable or uninstall the Folderly plugin if it is not essential to reduce the attack surface. 5. Stay informed about vendor updates and apply patches promptly once released to fix the authorization flaw. 6. Employ web application firewalls (WAFs) with custom rules to block unauthorized requests targeting the vulnerable endpoint. 7. Educate site administrators and users about the risks of privilege escalation and enforce strong authentication mechanisms to prevent unauthorized access. 8. Regularly back up website data, including taxonomy and configuration, to enable recovery in case of data loss or corruption.