{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1883", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T13:48:43.162Z", "datePublished": "2026-03-15T01:19:05.803Z", "dateUpdated": "2026-03-16T19:15:04.692Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-15T01:19:05.803Z"}, "affected": [{"vendor": "wickedplugins", "product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "4.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."}], "title": "Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "timeline": [{"time": "2026-02-04T15:27:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-14T13:11:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T19:14:30.706921Z", "id": "CVE-2026-1883", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:15:04.692Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1883", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T19:14:30.706921Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T19:14:36.354Z"}}], "cna": {"title": "Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Youssef Elouaer"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wickedplugins", "product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-04T15:27:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-14T13:11:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"}], "descriptions": [{"lang": "en", "value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-15T01:19:05.803Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1883", "state": "PUBLISHED", "dateUpdated": "2026-03-16T19:15:04.692Z", "dateReserved": "2026-02-04T13:48:43.162Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-15T01:19:05.803Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users."}], "id": "CVE-2026-1883", "lastModified": "2026-03-16T14:53:07.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-03-16T14:18:08.200", "references": [{"source": "[email protected]", "url": "https://plugins.trac.wordpress.org/changeset/3473857/wicked-folders"}, {"source": "[email protected]", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cec2c52-d780-4d94-a5b2-d3b405bce49c?source=cve"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Wicked Folders \u2013 Folder Organizer for Pages, Posts, and Custom Post Types", "source": "cna", "vendor": "wickedplugins"}, "product": "wicked_folders_\u2013_folder_organizer_for_pages,_posts,_and_custom_post_types", "vendor": "wickedplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "created": "2026-03-16T09:22:15.334774+00:00", "updated": "2026-03-16T09:22:15.334893+00:00", "vendors": ["wickedplugins", "wickedplugins$PRODUCT$wicked_folders_\u2013_folder_organizer_for_pages,_posts,_and_custom_post_types", "wordpress", "wordpress$PRODUCT$wordpress"]}