VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 22 known issues Latest disclosed Mar 14, 2026

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Vulnerabilities

Review known vulnerability records for the WordPress plugin Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types (`wicked-folders`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-1883, CVE-2023-0711 and CVE-2023-0727, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
22
High or Critical
1
Patch Coverage
100%
Last Updated
Mar 15, 2026
Priority CVE Quick Links

Fast paths into Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
22
CVE-2021-24919 High 2.18.10
CVE-2021-24919 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types SQL Injection

Wicked Folders <= 2.18.9 - Subscriber+ SQL Injection

CVE-2023-0711 Medium 2.18.17
CVE-2023-0711 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Authorization Bypass

Wicked Folders <= 2.18.16 - Missing Authorization via ajax_save_state

CVE-2023-0727 Medium 2.18.17
CVE-2023-0727 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Cross-Site Request Forgery

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_delete_folder

CVE-2023-0726 Medium 2.18.17
CVE-2023-0726 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Cross-Site Request Forgery

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_edit_folder

CVE-2023-0718 Medium 2.18.17
CVE-2023-0718 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Authorization Bypass

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder

CVE-2023-0715 Medium 2.18.17
CVE-2023-0715 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Authorization Bypass

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_clone_folder

CVE-2023-0723 Medium 2.18.17
CVE-2023-0723 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Cross-Site Request Forgery

Wicked Folders <= 2.18.16 - Cross-Site Request Forgery on ajax_move_object

CVE-2023-0720 Medium 2.18.17
CVE-2023-0720 Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types Authorization Bypass

Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder_order

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
22 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 1 high severity finding.
Recent CVEs
CVE-2026-1883, CVE-2023-0711 and CVE-2023-0727
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-1883
CVE-2026-1883: Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion

The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. T...

Published
Mar 14, 2026
Patched Release
4.1.1
Affected Versions
Versions up to 4.1.0
Next Step
Update to 4.1.1 or newer if supported.
Open CVE-2026-1883 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0711
CVE-2023-0711: Wicked Folders <= 2.18.16 - Missing Authorization via ajax_save_state

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_state function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and abo...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0711 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0727
CVE-2023-0727: Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_delete_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_delete_folder function. This makes it possible for unauthenticated attackers to invoke t...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0727 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0726
CVE-2023-0726: Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_edit_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_edit_folder function. This makes it possible for unauthenticated attackers to invoke thi...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0726 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0718
CVE-2023-0718: Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and ab...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0718 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0715
CVE-2023-0715: Wicked Folders <= 2.18.16 - Missing Authorization on ajax_clone_folder

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_clone_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and a...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0715 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0723
CVE-2023-0723: Wicked Folders <= 2.18.16 - Cross-Site Request Forgery on ajax_move_object

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_move_object function. This makes it possible for unauthenticated attackers to invoke thi...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0723 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0720
CVE-2023-0720: Wicked Folders <= 2.18.16 - Missing Authorization on ajax_save_folder_order

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_save_folder_order function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0720 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0725
CVE-2023-0725: Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_clone_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_clone_folder function. This makes it possible for unauthenticated attackers to invoke th...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0725 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0713
CVE-2023-0713: Wicked Folders <= 2.18.16 - Missing Authorization on ajax_add_folder

The Wicked Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ajax_add_folder function in versions up to, and including, 2.18.16. This makes it possible for authenticated attackers, with subscriber-level permissions and abo...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0713 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0730
CVE-2023-0730: Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_save_folder_order

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_save_folder_order function. This makes it possible for unauthenticated attackers to invo...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0730 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2023-0724
CVE-2023-0724: Wicked Folders <= 2.18.16 - Cross-Site Request Forgery via ajax_add_folder

The Wicked Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.16. This is due to missing or incorrect nonce validation on the ajax_add_folder function. This makes it possible for unauthenticated attackers to invoke this...

Published
Feb 07, 2023
Patched Release
2.18.17
Affected Versions
Versions up to 2.18.16
Next Step
Update to 2.18.17 or newer if supported.
Open CVE-2023-0724 Report Open CVE Reference