Skip to main content

WP Media Folder Addon EUVDEUVD-2026-37647

| CVE-2026-9690 HIGH
Path Traversal (CWE-22)
2026-06-17 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network request to a WordPress plugin endpoint (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality impact only, no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 11:50 vuln.today

DescriptionCVE.org

Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.

AnalysisAI

Unauthenticated arbitrary file download in JoomUnited's WP Media Folder Addon WordPress plugin versions 4.0.1 and below allows remote attackers to retrieve arbitrary files from the underlying server via a path traversal weakness (CWE-22). The flaw is exploitable over the network without authentication or user interaction, exposing sensitive WordPress and server files such as wp-config.php. No public exploit identified at time of analysis, and the issue is not currently tracked in CISA KEV.

Technical ContextAI

WP Media Folder Addon is a commercial extension to JoomUnited's WP Media Folder plugin for WordPress, used to extend media library management with features such as remote cloud imports and bulk file operations. The underlying weakness is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e. path traversal): a file-handling endpoint accepts a user-controlled path or filename parameter and resolves it without canonicalising or restricting it to the intended uploads directory, so sequences such as '../' or absolute paths break out of the intended folder. Because this is a WordPress plugin, the vulnerable endpoint is most likely an admin-ajax.php or REST action exposed via the standard WordPress request handlers, and the affected CPE is cpe:2.3:a:joomunited:wp_media_folder_addon up to and including 4.0.1.

RemediationAI

Upgrade WP Media Folder Addon to a version newer than 4.0.1 as published by JoomUnited; the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-media-folder-addon/vulnerability/wordpress-wp-media-folder-addon-plugin-4-0-1-arbitrary-file-download-vulnerability should be consulted for the exact fixed release, as no specific patched version was supplied in the input - patch available per vendor advisory, but the exact fix version is not independently confirmed here. Until the update is applied, compensating controls include deactivating the WP Media Folder Addon plugin (loses its added media-management features but eliminates the attack surface entirely), placing the WordPress admin and admin-ajax.php endpoints behind a WAF or virtual-patch rule that blocks requests containing path traversal sequences such as '../' or absolute paths in file/filename/path parameters (may produce false positives for plugins that legitimately submit filesystem paths), and restricting filesystem read permissions on sensitive files like wp-config.php at the OS level (does not stop reads of files the web user can already access). Rotate WordPress database credentials, AUTH/SECURE_AUTH/LOGGED_IN keys and salts if wp-config.php disclosure cannot be ruled out from access logs.

Share

EUVD-2026-37647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy