CVE-2025-11510: 
WordPress vulnerability analysis and mitigation

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress contains a missing capability check vulnerability (CVE-2025-11510) discovered in October 2025. This vulnerability affects all versions up to and including 6.4.9. The issue exists in the /filebird/v1/fb-wipe-clear-all-data function, which lacks proper authorization controls (NVD).

The vulnerability stems from a missing capability check in the /filebird/v1/fb-wipe-clear-all-data function. The CVSS v3.1 base score is 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-285 (Improper Authorization) (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with author-level access or higher to reset all of the plugin's configuration data. This could lead to disruption of the media library organization and folder structure within WordPress installations (NVD).

A patch has been implemented in the source code that adds proper capability checks to ensure only administrators can access the data wiping functionality (WordPress Plugin Repository). Users should update to a version newer than 6.4.9 to protect against this vulnerability.