CVE-2025-6986: 
WordPress vulnerability analysis and mitigation

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress contains an SQL Injection vulnerability (CVE-2025-6986) discovered and disclosed on August 5, 2025. This vulnerability affects all versions up to and including 6.4.8 of the plugin. The issue exists in the 'search' parameter functionality (NVD CVE).

The vulnerability is classified as SQL Injection (CWE-89) due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. The vulnerability has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and required low privileges (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to append additional SQL queries to existing database queries. This capability can be leveraged to extract sensitive information from the WordPress database (NVD CVE).

Users should upgrade their FileBird plugin to a version newer than 6.4.8 once available. Until then, it is recommended to restrict Author-level access to trusted users only (Wordfence Report).