Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network request to a WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality impact only, no integrity or availability effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.
AnalysisAI
Unauthenticated arbitrary file download in JoomUnited's WP Media Folder Addon WordPress plugin versions 4.0.1 and below allows remote attackers to retrieve arbitrary files from the underlying server via a path traversal weakness (CWE-22). The flaw is exploitable over the network without authentication or user interaction, exposing sensitive WordPress and server files such as wp-config.php. No public exploit identified at time of analysis, and the issue is not currently tracked in CISA KEV.
Technical ContextAI
WP Media Folder Addon is a commercial extension to JoomUnited's WP Media Folder plugin for WordPress, used to extend media library management with features such as remote cloud imports and bulk file operations. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. path traversal): a file-handling endpoint accepts a user-controlled path or filename parameter and resolves it without canonicalising or restricting it to the intended uploads directory, so sequences such as '../' or absolute paths break out of the intended folder. Because this is a WordPress plugin, the vulnerable endpoint is most likely an admin-ajax.php or REST action exposed via the standard WordPress request handlers, and the affected CPE is cpe:2.3:a:joomunited:wp_media_folder_addon up to and including 4.0.1.
RemediationAI
Upgrade WP Media Folder Addon to a version newer than 4.0.1 as published by JoomUnited; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-media-folder-addon/vulnerability/wordpress-wp-media-folder-addon-plugin-4-0-1-arbitrary-file-download-vulnerability should be consulted for the exact fixed release, as no specific patched version was supplied in the input - patch available per vendor advisory, but the exact fix version is not independently confirmed here. Until the update is applied, compensating controls include deactivating the WP Media Folder Addon plugin (loses its added media-management features but eliminates the attack surface entirely), placing the WordPress admin and admin-ajax.php endpoints behind a WAF or virtual-patch rule that blocks requests containing path traversal sequences such as '../' or absolute paths in file/filename/path parameters (may produce false positives for plugins that legitimately submit filesystem paths), and restricting filesystem read permissions on sensitive files like wp-config.php at the OS level (does not stop reads of files the web user can already access). Rotate WordPress database credentials, AUTH/SECURE_AUTH/LOGGED_IN keys and salts if wp-config.php disclosure cannot be ruled out from access logs.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37647