CVE-2025-12971 is a vulnerability identified in the WordPress plugin 'Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager' developed by galdub. The issue stems from an incorrect authorization check in the 'wcp_change_post_folder' function, which is responsible for handling the movement of media library folders, pages, posts, and files within the WordPress environment. Specifically, the plugin fails to properly verify whether the authenticated user has sufficient privileges to move folder contents, allowing users with Contributor-level access or higher to arbitrarily relocate folder contents to any folder. This misconfiguration violates the principle of least privilege and is classified under CWE-863 (Incorrect Authorization). The vulnerability affects all versions up to and including 3.1.5. The attack vector is remote and network-based, requiring only authenticated access with Contributor or higher privileges, and no user interaction is needed beyond authentication. The impact is limited to unauthorized modification of folder organization, which can disrupt content management, cause confusion, or potentially be leveraged as part of a broader attack chain. The CVSS v3.1 base score is 4.3, indicating medium severity, with an attack vector of network, low attack complexity, privileges required at the low level, no user interaction, and impact limited to integrity loss without affecting confidentiality or availability. No patches are currently linked, and no known exploits are reported in the wild. The vulnerability was published on November 27, 2025, with the issue reserved on November 10, 2025, and assigned by Wordfence.

For European organizations, this vulnerability poses a moderate risk primarily to websites and web applications using WordPress with the affected galdub plugin installed. Unauthorized folder content movement can disrupt content organization, leading to operational inefficiencies, potential content misplacement, or accidental exposure of sensitive media if folder permissions differ. While it does not directly compromise confidentiality or availability, the integrity of content management is affected, which can undermine trust in digital assets and complicate compliance with data governance policies. Organizations with multiple contributors managing content are particularly vulnerable, as attackers only need Contributor-level access, which is commonly granted to content creators or editors. This can facilitate insider threats or exploitation of compromised contributor accounts. The risk is heightened in sectors with strict content control requirements such as media, publishing, education, and government websites. Additionally, attackers could use this vulnerability as a foothold for further attacks by manipulating folder structures to hide malicious content or disrupt workflows.

1. Immediately review and restrict Contributor-level permissions on WordPress sites using the affected plugin, ensuring users have only the minimum necessary privileges. 2. Monitor folder and media library changes closely through logging and alerting mechanisms to detect unauthorized folder movements. 3. Implement strict access controls and role-based permissions for content management to limit the number of users with Contributor or higher access. 4. Regularly audit installed plugins and remove or disable those that are unnecessary or unmaintained. 5. Stay informed about updates from the plugin vendor and apply patches promptly once released. 6. Consider implementing web application firewalls (WAF) with custom rules to detect and block suspicious API calls related to folder modifications. 7. Educate content contributors about security best practices and the risks of compromised accounts. 8. Use multi-factor authentication (MFA) for all user accounts with elevated privileges to reduce the risk of account compromise. 9. If possible, isolate critical media libraries or sensitive content in separate WordPress instances or with additional access controls to minimize impact.