CVE-2025-26977
Published: 25 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-26977 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in the Ninja Team Filebird WordPress plugin. It enables exploiting incorrectly configured access control security levels and is documented as an Insecure Direct Object Reference (IDOR) issue. The vulnerability affects Filebird versions from n/a through 6.4.2.1, with a CVSS v3.1 base score of 3.8 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
High-privileged users (PR:H), such as administrators or equivalent roles on affected WordPress sites, can exploit this over the network with low attack complexity and no user interaction. Successful exploitation allows limited bypass of authorization controls, resulting in low-impact confidentiality and integrity violations, such as unauthorized access or minor modification of objects like files or folders via user-controlled keys.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/filebird/vulnerability/wordpress-filebird-plugin-6-4-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve) details the IDOR vulnerability in Filebird up to version 6.4.2.1. Mitigation involves updating to a version beyond 6.4.2.1, as the issue does not affect later releases.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The IDOR vulnerability in the public-facing WordPress plugin directly enables exploitation via T1190 (Exploit Public-Facing Application) for unauthorized access/modification of files and folders; this facilitates T1005 (Data from Local System) by allowing high-privileged users to bypass controls and access local file system objects.