CVE-2025-12038 is an authorization vulnerability classified under CWE-863 found in the Folderly plugin for WordPress, affecting all versions up to 0.3. The vulnerability arises from an insufficient capability check on the REST API endpoint /wp-json/folderly/v1/config/clear-all-data. This endpoint allows authenticated users with Author-level access or higher to clear critical site data such as terms and categories without proper authorization validation. The flaw enables unauthorized modification of data, compromising the integrity of the WordPress site content. The vulnerability does not affect confidentiality or availability directly and does not require user interaction, but it does require the attacker to have at least Author-level privileges on the WordPress site. The CVSS 3.1 base score is 4.3 (medium), reflecting the network attack vector, low complexity, and limited privileges required. No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability was reserved on October 21, 2025, and published on November 1, 2025. The Folderly plugin is used to enhance email deliverability and marketing efforts within WordPress, making it a target for attackers seeking to disrupt site data integrity or manipulate taxonomy structures.

The primary impact of CVE-2025-12038 is unauthorized modification of WordPress site data, specifically the clearing of terms and categories, which can disrupt site organization, SEO, and content management. This can lead to significant operational disruption for websites relying on Folderly for email marketing and content categorization. Although the vulnerability does not expose confidential information or cause denial of service, the loss or alteration of taxonomy data can degrade user experience and damage business reputation. Attackers with Author-level access, which is commonly granted to content creators and editors, can exploit this flaw to sabotage site content or prepare for further attacks by manipulating site structure. Organizations with multiple contributors or less restrictive access controls are at higher risk. The vulnerability's network accessibility and low complexity make it feasible for insider threats or compromised accounts to exploit it, potentially leading to data integrity issues and administrative overhead to restore site content.

To mitigate CVE-2025-12038, organizations should immediately review and restrict WordPress user roles, ensuring that only trusted users have Author-level or higher privileges. Implement the principle of least privilege by limiting the number of users who can access sensitive REST API endpoints. Monitor REST API access logs for unusual or unauthorized calls to /wp-json/folderly/v1/config/clear-all-data. Disable or restrict the Folderly plugin's REST API endpoints via firewall rules or WordPress security plugins if feasible. Until an official patch is released, consider temporarily deactivating the Folderly plugin if the risk outweighs its benefits. Educate site administrators and content creators about the risk of privilege misuse and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. Regularly back up WordPress site data, including taxonomy and configuration, to enable quick recovery in case of data modification or loss. Stay updated with vendor advisories for patches or updates addressing this vulnerability.