Cyber Resilience

CVE-2025-26977

Low

Published: 25 February 2025

Published
25 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 3.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0003 10.8th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26977 is a low-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ninjateam Filebird. Its CVSS base score is 3.8 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-26977 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in the Ninja Team Filebird WordPress plugin. It enables exploiting incorrectly configured access control security levels and is documented as an Insecure Direct Object Reference (IDOR) issue. The vulnerability affects Filebird versions from n/a through 6.4.2.1, with a CVSS v3.1 base score of 3.8 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

High-privileged users (PR:H), such as administrators or equivalent roles on affected WordPress sites, can exploit this over the network with low attack complexity and no user interaction. Successful exploitation allows limited bypass of authorization controls, resulting in low-impact confidentiality and integrity violations, such as unauthorized access or minor modification of objects like files or folders via user-controlled keys.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/filebird/vulnerability/wordpress-filebird-plugin-6-4-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve) details the IDOR vulnerability in Filebird up to version 6.4.2.1. Mitigation involves updating to a version beyond 6.4.2.1, as the issue does not affect later releases.

EU & UK References

Vulnerability details

Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird filebird allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filebird: from n/a through <= 6.4.2.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The IDOR vulnerability in the public-facing WordPress plugin directly enables exploitation via T1190 (Exploit Public-Facing Application) for unauthorized access/modification of files and folders; this facilitates T1005 (Data from Local System) by allowing high-privileged users to bypass controls and access local file system objects.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-45968Shared CWE-639
CVE-2026-22235Shared CWE-639
CVE-2026-22589Shared CWE-639
CVE-2026-24773Shared CWE-639
CVE-2025-24591Same vendor: Ninjateam
CVE-2024-50693Shared CWE-639
CVE-2025-69394Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2025-58402Shared CWE-639
CVE-2025-68051Shared CWE-639

Affected Assets

ninjateam
filebird
≤ 6.4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to files and folders, directly preventing authorization bypass through user-controlled keys in the Filebird IDOR vulnerability.

prevent

Validates user-supplied inputs such as object keys or IDs to ensure they are properly authorized, mitigating insecure direct object reference exploitation.

prevent

Requires timely identification, reporting, and correction of flaws like this IDOR in Filebird by applying patches to versions beyond 6.4.2.1.

References