CVE-2026-1883 Overview
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to, and including, 4.1.0. The vulnerability exists in the delete_folders() function due to missing validation on a user-controlled key. This security flaw allows authenticated attackers with Contributor-level access and above to delete arbitrary folders created by other users, potentially disrupting site organization and content management workflows.
Critical Impact
Authenticated attackers with minimal privileges can delete folders belonging to other users, compromising the integrity of WordPress content organization across the affected site.
Affected Products
- Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress versions up to and including 4.1.0
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-1883 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-1883
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), commonly known as an Insecure Direct Object Reference (IDOR). The flaw resides in the delete_folders() function within the Wicked Folders plugin, which fails to properly validate whether the requesting user has ownership or appropriate permissions to delete the targeted folder resource.
When processing folder deletion requests, the plugin accepts a user-supplied folder identifier without verifying that the authenticated user is the owner of that folder or has administrative privileges to manage other users' folders. This authorization gap allows any user with at least Contributor-level access to enumerate and delete folders created by other users, including administrators.
The attack requires network access and authentication with low privileges (Contributor role or higher), but requires no user interaction to execute. While the vulnerability does not expose confidential data or enable code execution, it allows unauthorized modification of the WordPress content organization structure.
Root Cause
The root cause of this vulnerability is the absence of proper authorization checks within the delete_folders() function. The function accepts a folder identifier directly from user input and proceeds to delete the corresponding folder without validating whether the authenticated user owns that folder or has been granted permission to delete it. This is a classic example of broken access control where the application relies solely on authentication (verifying the user is logged in) without implementing proper authorization (verifying the user has permission to perform the specific action on the specific resource).
Attack Vector
The attack vector for this vulnerability is network-based, requiring an authenticated session with at least Contributor-level privileges. An attacker would:
- Authenticate to the WordPress site with a Contributor or higher role account
- Identify folder IDs belonging to other users through enumeration or observation
- Send crafted deletion requests to the delete_folders() function with the target folder IDs
- Successfully delete folders without ownership verification
The vulnerability can be exploited by sending malicious requests to the folder deletion endpoint with arbitrary folder identifiers. Since the plugin does not verify folder ownership before processing deletion requests, the operation succeeds regardless of whether the authenticated user created the target folder. For technical implementation details, refer to the WordPress Plugin Changeset and the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-1883
Indicators of Compromise
- Unexpected deletion of folders in the Wicked Folders organization structure
- User reports of missing folder hierarchies they did not delete
- Audit logs showing folder deletion operations by users who did not create those folders
- Increased folder deletion activity from Contributor-level accounts
Detection Strategies
- Monitor WordPress audit logs for folder deletion events associated with users who did not create the targeted folders
- Implement file integrity monitoring on the WordPress database to detect unauthorized changes to folder structures
- Review access logs for unusual patterns of DELETE requests or AJAX calls to the Wicked Folders plugin endpoints
Monitoring Recommendations
- Enable comprehensive WordPress audit logging to track all folder management operations
- Set up alerts for bulk folder deletion activities, especially from non-administrator accounts
- Regularly review user activity logs for Contributor and Author role accounts interacting with folder management functions
How to Mitigate CVE-2026-1883
Immediate Actions Required
- Update the Wicked Folders plugin to a version newer than 4.1.0 that includes the security fix
- Review recent folder deletion activity to identify any potential exploitation
- Consider temporarily restricting folder management capabilities to administrator accounts until the patch is applied
- Audit user accounts with Contributor-level access and above for any suspicious activity
Patch Information
A security patch has been released to address this vulnerability. The fix can be reviewed in the WordPress Plugin Changeset. Administrators should update to the latest version of the Wicked Folders plugin through the WordPress plugin update mechanism. The patch implements proper authorization checks to ensure users can only delete folders they own or have explicit permission to manage.
Workarounds
- Temporarily disable the Wicked Folders plugin until the patch can be applied
- Restrict user roles by removing Contributor access from untrusted users
- Implement additional access controls through a WordPress security plugin to limit folder management capabilities
- Use server-side firewall rules to restrict access to plugin AJAX endpoints from untrusted sources
# Configuration example
# Temporarily disable the plugin via WP-CLI
wp plugin deactivate wicked-folders
# After updating, verify the new version is installed
wp plugin list --name=wicked-folders --fields=name,version,status
# Check for suspicious folder deletion activity in the database
wp db query "SELECT * FROM wp_options WHERE option_name LIKE '%wicked_folder%'" --allow-root
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
