VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 22 known issues Latest disclosed Mar 14, 2026

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Vulnerabilities

Review known vulnerability records for the WordPress plugin Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types (`wicked-folders`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
22
High or Critical
1
Linked CVEs
22
Last Updated
Mar 14, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
22 records include a published patch path.
Severity Mix
0 critical and 1 high severity finding.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-1883
Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. T...

Published
Mar 14, 2026
Patched Release
4.1.1
Affected Versions
Versions up to 4.1.0
Next Step
Update to 4.1.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0711
Wicked Folders <= 2.18.16 - Missing Authorization via ajax_save_state

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_state function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and abo...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0727
Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_delete_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_delete_folder function. This makes it possible for unauthenticated attackers to invoke t...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0726
Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_edit_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_edit_folder function. This makes it possible for unauthenticated attackers to invoke thi...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0718
Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and ab...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0715
Wicked Folders <= 2.18.16 - Missing Authorization on ajax_clone_folder

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_clone_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and a...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0723
Wicked Folders <= 2.18.16 - Cross-Site Request Forgery on ajax_move_object

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_move_object function. This makes it possible for unauthenticated attackers to invoke thi...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0720
Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder_order

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0725
Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_clone_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_clone_folder function. This makes it possible for unauthenticated attackers to invoke th...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0713
Wicked Folders <= 2.18.16 - Missing Authorization on ajax_add_folder

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_add_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and abo...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0730
Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_save_folder_order

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_save_folder_order function. This makes it possible for unauthenticated attackers to invo...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0724
Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_add_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_add_folder function. This makes it possible for unauthenticated attackers to invoke this...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open Full Report Open CVE Reference