Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network request to a WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality impact only, no integrity or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.
AnalysisAI
Unauthenticated arbitrary file download in JoomUnited's WP Media Folder Addon WordPress plugin versions 4.0.1 and below allows remote attackers to retrieve arbitrary files from the underlying server via a path traversal weakness (CWE-22). The flaw is exploitable over the network without authentication or user interaction, exposing sensitive WordPress and server files such as wp-config.php. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have the JoomUnited WP Media Folder Addon plugin installed and activated at version 4.0.1 or earlier, and the vulnerable file-download endpoint must be reachable over the network (the standard WordPress front-controller and admin-ajax.php are typically exposed by default). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) is internally consistent with the description: network-reachable, low-complexity, no privileges or user interaction, with high confidentiality impact only - appropriate for an unauthenticated file read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An opportunistic attacker scanning WordPress sites for vulnerable plugins sends a single unauthenticated HTTP request to the WP Media Folder Addon's file-download endpoint with a traversal payload such as '../../../../wp-config.php' in the filename parameter, and receives the file contents in the response. Using the database credentials and secret keys harvested from wp-config.php, the attacker then connects directly to the MySQL backend or forges authenticated session cookies to take over the site. … |
| Remediation | Upgrade WP Media Folder Addon to a version newer than 4.0.1 as published by JoomUnited; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-media-folder-addon/vulnerability/wordpress-wp-media-folder-addon-plugin-4-0-1-arbitrary-file-download-vulnerability should be consulted for the exact fixed release, as no specific patched version was supplied in the input - patch available per vendor advisory, but the exact fix version is not independently confirmed here. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations and identify instances of WP Media Folder Addon version 4.0.1 or below. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37647