Skip to main content

Media Sync CVE-2026-6670

| EUVDEUVD-2026-30256 MEDIUM
Path Traversal (CWE-22)
2026-05-14 Wordfence GHSA-4j6w-h2q8-35x3
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:57 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
MEDIUM 6.5

DescriptionCVE.org

The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.

AnalysisAI

Path traversal in the Media Sync WordPress plugin (versions ≤1.4.9) enables authenticated attackers with Author-level access or above to read arbitrary files outside the intended uploads directory by injecting traversal sequences into the 'sub_dir' and 'media_items' parameters. The CVSS vector (C:H/I:N/A:N) confirms the impact is limited to confidentiality - file read only, with no write or deletion capability indicated. No public exploit has been identified at time of analysis, and CISA SSVC rates current exploitation as none with partial technical impact, consistent with the low EPSS probability of 0.45%.

Technical ContextAI

Media Sync (CPE: cpe:2.3:a:erolsk8:media_sync:*:*:*:*:*:*:*:*) is a WordPress plugin authored by erolsk8, designed to synchronize media files within a WordPress installation. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory): the plugin accepts user-controlled values in the 'sub_dir' and 'media_items' parameters and passes them to file system operations without stripping directory traversal sequences (e.g., '../') or enforcing a chroot-style boundary to the WordPress uploads directory. This class of flaw is well-understood - the fix, visible in the Trac changeset, involves canonicalizing paths and validating that the resolved path remains within the permitted base directory before performing any file operation.

RemediationAI

An upstream fix has been committed to the WordPress plugin repository, visible at https://plugins.trac.wordpress.org/changeset/3511221/media-sync; however, the exact patched release version number is not independently confirmed from the available input data - the changeset does not specify a tagged release. Site administrators should update the Media Sync plugin to the latest available version beyond 1.4.9 via the WordPress plugin dashboard or wp-cli (wp plugin update media-sync) and verify the installed version exceeds 1.4.9. As a compensating control pending patch deployment, restrict Author-level and above roles exclusively to fully trusted users, as this limits the pool of potential attackers - note this trade-off reduces editorial flexibility. Alternatively, deactivating the Media Sync plugin entirely eliminates the attack surface at the cost of plugin functionality. Blocking direct access to the plugin's AJAX or admin endpoints via WAF rules targeting traversal sequences in the 'sub_dir' and 'media_items' parameters provides an additional layer of defense, though this may interfere with legitimate plugin operation.

Share

CVE-2026-6670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy