Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.
AnalysisAI
Path traversal in the Media Sync WordPress plugin (versions ≤1.4.9) enables authenticated attackers with Author-level access or above to read arbitrary files outside the intended uploads directory by injecting traversal sequences into the 'sub_dir' and 'media_items' parameters. The CVSS vector (C:H/I:N/A:N) confirms the impact is limited to confidentiality - file read only, with no write or deletion capability indicated. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation as none with partial technical impact, consistent with the low EPSS probability of 0.45%.
Technical ContextAI
Media Sync (CPE: cpe:2.3:a:erolsk8:media_sync:*:*:*:*:*:*:*:*) is a WordPress plugin authored by erolsk8, designed to synchronize media files within a WordPress installation. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory): the plugin accepts user-controlled values in the 'sub_dir' and 'media_items' parameters and passes them to file system operations without stripping directory traversal sequences (e.g., '../') or enforcing a chroot-style boundary to the WordPress uploads directory. This class of flaw is well-understood - the fix, visible in the Trac changeset, involves canonicalizing paths and validating that the resolved path remains within the permitted base directory before performing any file operation.
RemediationAI
An upstream fix has been committed to the WordPress plugin repository, visible at https://plugins.trac.wordpress.org/changeset/3511221/media-sync; however, the exact patched release version number is not independently confirmed from the available input data - the changeset does not specify a tagged release. Site administrators should update the Media Sync plugin to the latest available version beyond 1.4.9 via the WordPress plugin dashboard or wp-cli (wp plugin update media-sync) and verify the installed version exceeds 1.4.9. As a compensating control pending patch deployment, restrict Author-level and above roles exclusively to fully trusted users, as this limits the pool of potential attackers - note this trade-off reduces editorial flexibility. Alternatively, deactivating the Media Sync plugin entirely eliminates the attack surface at the cost of plugin functionality. Blocking direct access to the plugin's AJAX or admin endpoints via WAF rules targeting traversal sequences in the 'sub_dir' and 'media_items' parameters provides an additional layer of defense, though this may interfere with legitimate plugin operation.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30256
GHSA-4j6w-h2q8-35x3