WP-Safety

CatFolders – WordPress Media Library Folders & Categories Security & Risk Analysis

wordpress.org/plugins/catfolders

Organize and manage your files with WordPress media folders. Fast, flexible, and professional.

6K active installs v2.5.4 PHP 7.2+ WP 5.2+ Updated Jan 8, 2026
folderfoldersgallerymedia-foldermedia-library
98
A · Safe
CVEs total2
Unpatched0
Last CVENov 30, 2025
Plugin page Download
Safety Verdict

Is CatFolders – WordPress Media Library Folders & Categories Safe to Use in 2026?

Generally Safe

Score 98/100

CatFolders – WordPress Media Library Folders & Categories has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 30, 2025Updated 2mo ago
Risk Assessment

The "catfolders" v2.5.4 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of prepared SQL statements (71%) and properly escaped outputs (93%). The presence of numerous capability checks (21) and a relatively low number of file operations (3) and external HTTP requests (0) are also encouraging. However, there are significant areas of concern, particularly regarding its attack surface. The plugin has three AJAX handlers, and critically, one of these lacks authorization checks, presenting a direct entry point for unauthorized actions.

Taint analysis reveals three flows with unsanitized paths, although none are categorized as critical or high severity. While this suggests no immediate catastrophic vulnerabilities, the presence of unsanitized paths is a red flag that could be exploited in conjunction with other weaknesses. The plugin's vulnerability history shows two medium-severity CVEs in the past, specifically related to Missing Authorization and SQL Injection. The fact that these are now patched is positive, but the recurring nature of these vulnerability types indicates potential architectural weaknesses that require ongoing vigilance and robust development practices to prevent recurrence.

Overall, "catfolders" v2.5.4 has strengths in its output sanitization and SQL query handling but is weakened by an unprotected AJAX endpoint and past vulnerabilities related to authorization and SQL injection. The presence of unsanitized paths, while not currently leading to critical issues, warrants attention. The plugin is recommended for use with caution and regular monitoring for security updates, given its history and the identified unprotected entry point.

Key Concerns

  • AJAX handler without auth check
  • Flows with unsanitized paths detected
  • Past medium CVEs for Missing Authorization
  • Past medium CVEs for SQL Injection
Vulnerabilities
2

CatFolders – WordPress Media Library Folders & Categories Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-66120medium · 5.3Missing Authorization

CatFolders <= 2.5.3 - Missing Authorization

Nov 30, 2025 Patched in 2.5.4 (45d)
CVE-2025-9776medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CatFolders – Tame Your WordPress Media Library by Category <= 2.5.2 - Authenticated (Author+) SQL Injection via CSV Import

Sep 10, 2025 Patched in 2.5.3 (1d)
Code Analysis
Analyzed Mar 16, 2026

CatFolders – WordPress Media Library Folders & Categories Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
24 prepared
Unescaped Output
5
67 escaped
Nonce Checks
2
Capability Checks
21
File Operations
3
External Requests
0
Bundled Libraries
0

SQL Query Safety

71% prepared34 total queries

Output Escaping

93% escaped72 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
extranav_custom_action (includes\Integrations\MediaLibraryAssistant.php:34)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

CatFolders – WordPress Media Library Folders & Categories Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 3

authwp_ajax_catf_first_folderincludes\Backend\Notices.php:12
authwp_ajax_tb_load_editorincludes\Integrations\PageBuilders.php:149
authwp_ajax_catf_run_mergeincludes\Internals\Users\FolderUser.php:18
WordPress Hooks 60
actionadmin_initcatfolders.php:22
actionadmin_initcatfolders.php:33
actionadmin_initcatfolders.php:44
actionplugins_loadedcatfolders.php:103
actionwp_dashboard_setupincludes\Backend\DashboardWidget.php:9
actionadmin_enqueue_scriptsincludes\Backend\Enqueue.php:19
actionadmin_noticesincludes\Backend\Notices.php:11
filterplugin_row_metaincludes\Backend\SettingsPage.php:16
actionadmin_menuincludes\Backend\SettingsPage.php:18
actionadmin_enqueue_scriptsincludes\Backend\SettingsPage.php:19
actioninitincludes\Blocks\GalleryBlock.php:12
filterupload_mimesincludes\Classes\Svg.php:13
filterwp_check_filetype_and_extincludes\Classes\Svg.php:14
filterwp_handle_upload_prefilterincludes\Classes\Svg.php:15
filterscript_loader_tagincludes\Classes\Vite.php:14
filterscript_loader_srcincludes\Classes\Vite.php:29
actionadmin_headincludes\Classes\Vite.php:45
actioninitincludes\I18n.php:8
actioninitincludes\Install.php:6
filtercatf_post_type_validatorincludes\Integrations\MediaLibraryAssistant.php:10
filtermla_list_table_extranav_actionsincludes\Integrations\MediaLibraryAssistant.php:11
actionmla_list_table_extranav_custom_actionincludes\Integrations\MediaLibraryAssistant.php:12
filtermla_list_table_submenu_argumentsincludes\Integrations\MediaLibraryAssistant.php:13
actioninitincludes\Integrations\PageBuilders.php:13
actionwp_footerincludes\Integrations\PageBuilders.php:50
actionmfn_footer_enqueueincludes\Integrations\PageBuilders.php:61
actionelementor/editor/before_enqueue_scriptsincludes\Integrations\PageBuilders.php:65
actionfl_before_sortable_enqueueincludes\Integrations\PageBuilders.php:71
actionbrizy_editor_enqueue_scriptsincludes\Integrations\PageBuilders.php:82
actioncornerstone_before_wp_editorincludes\Integrations\PageBuilders.php:88
actionet_fb_enqueue_assetsincludes\Integrations\PageBuilders.php:94
actiondivi_visual_builder_assets_before_enqueue_scriptsincludes\Integrations\PageBuilders.php:101
actiontcb_main_frame_enqueueincludes\Integrations\PageBuilders.php:111
actionfusion_builder_enqueue_live_scriptsincludes\Integrations\PageBuilders.php:117
actionoxygen_enqueue_ui_scriptsincludes\Integrations\PageBuilders.php:123
actiontatsu_builder_footerincludes\Integrations\PageBuilders.php:129
actiondokan_enqueue_scriptsincludes\Integrations\PageBuilders.php:135
actionbricks_after_footerincludes\Integrations\PageBuilders.php:161
actionfusion_enqueue_live_scriptsincludes\Integrations\PageBuilders.php:168
actionzionbuilder/editor/before_scriptsincludes\Integrations\PageBuilders.php:174
actionznpb_editor_after_load_scriptsincludes\Integrations\PageBuilders.php:178
filtermanage_media_columnsincludes\Internals\Modules\MediaMeta.php:14
actionmanage_media_custom_columnincludes\Internals\Modules\MediaMeta.php:15
filtermanage_upload_sortable_columnsincludes\Internals\Modules\MediaMeta.php:16
actionadded_post_metaincludes\Internals\Modules\MediaMeta.php:17
filtermedia_library_infinite_scrollingincludes\Internals\WPMedia.php:20
filterajax_query_attachments_argsincludes\Internals\WPMedia.php:21
filtermla_media_modal_query_final_termsincludes\Internals\WPMedia.php:22
filterrestrict_manage_postsincludes\Internals\WPMedia.php:23
filterposts_clausesincludes\Internals\WPMedia.php:24
actionadd_attachmentincludes\Internals\WPMedia.php:26
actiondelete_attachmentincludes\Internals\WPMedia.php:27
actionpre-upload-uiincludes\Internals\WPMedia.php:28
filterrest_prepare_attachmentincludes\Internals\WPMedia.php:30
actionattachment_fields_to_editincludes\Internals\WPMedia.php:31
filterattachment_fields_to_saveincludes\Internals\WPMedia.php:32
actionrest_api_initincludes\Rest\Init.php:6
actionadmin_noticesincludes\Views\fallback-exists.php:5
actionadmin_noticesincludes\Views\fallback-minimum-php.php:5
actionadmin_noticesincludes\Views\fallback-minimum-wp.php:7
Maintenance & Trust

CatFolders – WordPress Media Library Folders & Categories Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 8, 2026
PHP min version7.2
Downloads60K

Community Trust

Rating86/100
Number of ratings18
Active installs6K
Alternatives

CatFolders – WordPress Media Library Folders & Categories Alternatives

FileBird – WordPress Media Library Folders & File Manager

FileBird – WordPress Media Library Folders & File Manager

filebird

A
89

Organize thousands of WordPress media files in folders / categories with ease.

200K 10 CVEs
Real Media Library: Media Library Folder & File Manager

Real Media Library: Media Library Folder & File Manager

real-media-library-lite

A
97

Organize uploaded media in folders, collections and galleries: A file manager for WordPress. Media management made easy with Real Media Library! (Alte &hellip;

100K 4 CVEs
Enhanced Media Library

Enhanced Media Library

enhanced-media-library

A
91

This plugin would be handy for those who need to manage a lot of media files.

70K 1 CVE
WP Media folders

WP Media folders

wp-media-folders

A
85

WP Media Folders is a media management plugin that: Implement a real folder and media URL structure & Allow WP Media Folder plugin data import

3K No CVEs
Categorify – WordPress Media Library Category & File Manager

Categorify – WordPress Media Library Category & File Manager

categorify

C
59

Organize your WordPress media files in categories via drag and drop.

1K 1 unpatched
Developer Profile

CatFolders – WordPress Media Library Folders & Categories Developer Profile

CatFolders

2 plugins · 9K total installs

93
trust score
Avg Security Score
99/100
Avg Patch Time
23 days
View full developer profile
Detection Fingerprints

How We Detect CatFolders – WordPress Media Library Folders & Categories

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/catfolders/assets/css/photoswipe/photoswipe.css/wp-content/plugins/catfolders/assets/css/photoswipe/default-skin.css/wp-content/plugins/catfolders/assets/js/photoswipe/photoswipe.min.js/wp-content/plugins/catfolders/assets/js/photoswipe/photoswipe-ui-default.min.js/wp-content/plugins/catfolders/assets/js/photoswipe/catf-photoswipe.js/wp-content/plugins/catfolders/includes/Blocks/build/style-index.css/wp-content/plugins/catfolders/assets/js/jquery-resizable.min.js/wp-content/plugins/catfolders/assets/js/jquery.ui.touch-punch.js
Script Paths
/wp-content/plugins/catfolders/assets/js/jquery-resizable.min.js/wp-content/plugins/catfolders/assets/js/jquery.ui.touch-punch.js/wp-content/plugins/catfolders/includes/Blocks/build/style-index.css/wp-content/plugins/catfolders/assets/js/photoswipe/photoswipe.min.js/wp-content/plugins/catfolders/assets/js/photoswipe/photoswipe-ui-default.min.js/wp-content/plugins/catfolders/assets/js/photoswipe/catf-photoswipe.js
Version Parameters
catfolders/style.css?ver=catfolders/script.js?ver=catfolders/assets/js/jquery-resizable.min.js?ver=catfolders/assets/js/jquery.ui.touch-punch.js?ver=catfolders/includes/Blocks/build/style-index.css?ver=catfolders/assets/css/photoswipe/photoswipe.css?ver=catfolders/assets/css/photoswipe/default-skin.css?ver=catfolders/assets/js/photoswipe/photoswipe.min.js?ver=catfolders/assets/js/photoswipe/photoswipe-ui-default.min.js?ver=catfolders/assets/js/photoswipe/catf-photoswipe.js?ver=

HTML / DOM Fingerprints

CSS Classes
catfolders-gallery-blockcatf-admin-folder-container
HTML Comments
<!-- CatFolders Media Folders --><!-- WP Media Folders --><!-- CatFolders Lite --><!-- CatFolders gallery block -->+1 more
Data Attributes
data-catf-iddata-catf-folder-iddata-catf-attachment-iddata-catf-parent-iddata-catf-titledata-catf-folder-name+2 more
JS Globals
catfDataCatFolders
REST Endpoints
/wp-json/catfolders/v1/
Shortcode Output
<div class="catfolders-gallery-block"<div id="catf-gallery-{{ id }}"
FAQ

Frequently Asked Questions about CatFolders – WordPress Media Library Folders & Categories