CVE-2025-6986 is a medium-severity SQL Injection vulnerability affecting the FileBird – WordPress Media Library Folders & File Manager plugin developed by ninjateam. This vulnerability exists in all versions up to and including 6.4.8. The root cause is improper neutralization of special elements in the 'search' parameter, which is used in SQL queries without adequate escaping or parameterization. Authenticated attackers with Author-level privileges or higher can exploit this flaw by injecting malicious SQL code through the 'search' parameter. This allows them to append additional SQL commands to the existing query, potentially extracting sensitive information from the WordPress database. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact but no impact on integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in SQL commands. Since the plugin is widely used to organize media files in WordPress, the attack surface includes any WordPress site using this plugin with vulnerable versions and having users with Author or higher roles. The attack requires authenticated access, limiting exploitation to insiders or compromised accounts. However, the ability to extract sensitive data from the database poses a significant risk to confidentiality, including potential exposure of user data, site configuration, or other stored information.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality of data stored within WordPress sites using the vulnerable FileBird plugin. Many European businesses, government agencies, and NGOs rely on WordPress for their web presence and content management, often with multiple authors contributing content. If an attacker gains Author-level access—through credential compromise or insider threat—they could exploit this vulnerability to extract sensitive data from the database, including personal data protected under GDPR. This could lead to data breaches, regulatory penalties, reputational damage, and loss of customer trust. Additionally, extraction of configuration or credential data could facilitate further attacks. Although the vulnerability does not affect availability or integrity directly, the confidentiality impact alone is significant given the strict data protection regulations in Europe. The lack of known exploits in the wild reduces immediate risk, but the ease of exploitation with low attack complexity and no user interaction means that targeted attacks could emerge quickly once the vulnerability becomes widely known.

European organizations should take immediate steps to mitigate this vulnerability beyond generic patching advice. First, they should identify all WordPress instances using the FileBird plugin and verify the plugin version. Since no official patch links are provided yet, organizations should monitor vendor announcements and security advisories closely for updates. In the interim, restrict Author-level and higher privileges to trusted users only, and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of account compromise. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns in the 'search' parameter. Conduct thorough audits of user roles and permissions to minimize the number of users with elevated privileges. Regularly review access logs for anomalous query patterns or unusual database access. Consider temporarily disabling or replacing the FileBird plugin if patching is not immediately possible. Finally, ensure that database backups are encrypted and access-controlled to limit damage in case of data exfiltration.