CVE-2025-12971 identifies an authorization vulnerability in the 'Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager' WordPress plugin developed by galdub. The vulnerability stems from a misconfigured capability check in the 'wcp_change_post_folder' function, which is responsible for moving media library folders and other content organizational units within WordPress. Specifically, the plugin fails to properly verify whether an authenticated user has the correct permissions to move folder contents. As a result, any user with Contributor-level access or higher can move arbitrary folder contents to arbitrary folders without proper authorization. This can lead to unauthorized modification of the media library and content organization, potentially disrupting site management and enabling further malicious activities such as content tampering or privilege escalation chains. The vulnerability affects all plugin versions up to and including 3.1.5. Exploitation requires authenticated access but no additional user interaction. The CVSS v3.1 base score is 4.3, indicating a medium severity primarily due to the integrity impact and low attack complexity. No known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-863 (Incorrect Authorization). No official patches or updates are currently linked, so mitigation may require manual permission adjustments or plugin updates once available.

The primary impact of CVE-2025-12971 is unauthorized modification of content organization within WordPress sites using the affected plugin. Attackers with Contributor-level access can move media files, pages, posts, or other folder contents arbitrarily, potentially causing confusion, disruption of workflows, or enabling further attacks such as content tampering or social engineering. While confidentiality and availability are not directly impacted, the integrity of site content and media organization is compromised. This can degrade user trust, complicate content management, and in some cases, facilitate privilege escalation if combined with other vulnerabilities. Organizations relying heavily on this plugin for media and content management face operational risks and potential reputational damage. Since exploitation requires authenticated access, the threat is more relevant in environments with multiple contributors or less restrictive user management policies.

To mitigate CVE-2025-12971, organizations should: 1) Immediately review and restrict Contributor-level and higher user permissions to trusted individuals only. 2) Monitor and audit folder and media library changes to detect unauthorized movements or modifications. 3) Apply updates or patches from the plugin vendor as soon as they become available. 4) If no patch is available, consider temporarily disabling the plugin or replacing it with alternative solutions that enforce proper authorization. 5) Implement WordPress security best practices such as limiting plugin installations to trusted sources and regularly reviewing user roles and capabilities. 6) Use security plugins that can detect anomalous content changes or unauthorized actions within the WordPress environment. 7) Educate site administrators and contributors about the risks of unauthorized content manipulation and encourage vigilance.