CVE-2025-26977
Published: 25 February 2025
Summary
CVE-2025-26977 is a low-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ninjateam Filebird. Its CVSS base score is 3.8 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to files and folders, directly preventing authorization bypass through user-controlled keys in the Filebird IDOR vulnerability.
Validates user-supplied inputs such as object keys or IDs to ensure they are properly authorized, mitigating insecure direct object reference exploitation.
Requires timely identification, reporting, and correction of flaws like this IDOR in Filebird by applying patches to versions beyond 6.4.2.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability in the public-facing WordPress plugin directly enables exploitation via T1190 (Exploit Public-Facing Application) for unauthorized access/modification of files and folders; this facilitates T1005 (Data from Local System) by allowing high-privileged users to bypass controls and access local file system objects.
NVD Description
Authorization Bypass Through User-Controlled Key vulnerability in Ninja Team Filebird filebird allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Filebird: from n/a through <= 6.4.2.1.
Deeper analysisAI
CVE-2025-26977 is an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639) in the Ninja Team Filebird WordPress plugin. It enables exploiting incorrectly configured access control security levels and is documented as an Insecure Direct Object Reference (IDOR) issue. The vulnerability affects Filebird versions from n/a through 6.4.2.1, with a CVSS v3.1 base score of 3.8 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
High-privileged users (PR:H), such as administrators or equivalent roles on affected WordPress sites, can exploit this over the network with low attack complexity and no user interaction. Successful exploitation allows limited bypass of authorization controls, resulting in low-impact confidentiality and integrity violations, such as unauthorized access or minor modification of objects like files or folders via user-controlled keys.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/filebird/vulnerability/wordpress-filebird-plugin-6-4-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve) details the IDOR vulnerability in Filebird up to version 6.4.2.1. Mitigation involves updating to a version beyond 6.4.2.1, as the issue does not affect later releases.
Details
- CWE(s)