CVE-2025-52786

2025-07-16 [email protected]
WordPress XSS PHP

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kingdom Creation Media Folder media-folder allows Reflected XSS.This issue affects Media Folder: from n/a through <= 1.0.0.

AnalysisAI

Reflected cross-site scripting (XSS) in Kingdom Creation Media Folder WordPress plugin versions through 1.0.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in input handling during page generation and can be exploited by crafting specially-formed URLs, enabling session hijacking, credential theft, or malware distribution without requiring authentication or user interaction beyond visiting a malicious link.

Technical ContextAI

This is a classic reflected XSS vulnerability (CWE-79) in a WordPress plugin, where user-supplied input is not properly neutralized before being rendered in the HTML response. The Media Folder plugin (WordPress CPE not explicitly provided but referenced as 'Kingdom Creation Media Folder') fails to sanitize or escape query parameters or form inputs during dynamic page generation. Reflected XSS differs from stored XSS in that the payload is not persisted in a database; instead, it travels through the request itself (typically via URL query string or POST parameters). The vulnerability allows attackers to execute arbitrary JavaScript in the context of the victim's browser session, potentially accessing session tokens, cookies, or performing actions on behalf of the user.

Affected ProductsAI

Kingdom Creation Media Folder WordPress plugin versions 1.0.0 and earlier are affected. The plugin is distributed through the WordPress plugin repository and managed by the Patchstack vulnerability database (reference: Patchstack WordPress Media Folder vulnerability listing).

RemediationAI

Upgrade Kingdom Creation Media Folder to a version newer than 1.0.0 as soon as a patched release is available from the developer. Users should verify the plugin's WordPress.org page or contact the Kingdom Creation Media Folder development team for the specific patched version number. As an interim workaround pending patch availability, disable the Media Folder plugin if it is not critical to operations, or restrict access to the plugin's functionality through WordPress user role management and .htaccess rules. Input validation and output escaping should be verified by the vendor in the updated release. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/media-folder/vulnerability/wordpress-media-folder-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve for additional technical details and any vendor-provided fixes.

Share

CVE-2025-52786 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy