WP-Safety

Clean Unused Medias Security & Risk Analysis

wordpress.org/plugins/clean-unused-medias

Clean Unused Medias, another simple way to delete the medias you don't need anymore.

100 active installs v1.10 PHP + WP 4.6.1+ Updated Jul 20, 2021
acfadvanced-custom-fieldsattachmentcleanmedia
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Clean Unused Medias Safe to Use in 2026?

Generally Safe

Score 85/100

Clean Unused Medias has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The "clean-unused-medias" plugin v1.10 presents a significant security risk due to a large number of unprotected AJAX handlers. With 10 AJAX handlers identified, all lacking authentication checks, any user, regardless of their role or permissions, can trigger these functions. This creates a broad attack surface that could be exploited to perform unintended actions within the WordPress site. The presence of the `unserialize` function, coupled with one high-severity taint flow involving an unsanitized path, further exacerbates the risk. While the plugin has no recorded vulnerability history, this absence could be due to lack of rigorous security testing or a small user base, rather than inherent security. The lack of capability checks and proper output escaping also contributes to a weak security posture. Overall, the plugin's strengths, such as a high percentage of prepared SQL statements, are overshadowed by critical weaknesses in authentication and input sanitization for its entry points.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow
  • Dangerous function unserialize
  • No capability checks
  • Unescaped output
  • Unsanitized paths in taint flow
Vulnerabilities
None known

Clean Unused Medias Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Clean Unused Medias Code Analysis

Dangerous Functions
8
Raw SQL Queries
4
25 prepared
Unescaped Output
16
0 escaped
Nonce Checks
5
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$lnjcm_medias_in_content_ids = ( empty( $lnjcm_medias_in_content_index ) ) ? array() : unserialize(library\functions.php:40
unserialize$lnjcm_medias_in_postmeta_ids = ( empty( $lnjcm_medias_in_postmeta_ids ) ) ? array() : unserialize( library\functions.php:42
unserialize$lnjcm_medias_in_usermeta_ids = ( empty( $lnjcm_medias_in_usermeta_ids ) ) ? array() : unserialize( library\functions.php:44
unserialize$lnjcm_medias_in_option_ids = ( empty( $lnjcm_medias_in_option_ids ) ) ? array() : unserialize( $llibrary\functions.php:46
unserialize$in_content_medias = ( empty( $in_content_medias ) ) ? array() : unserialize( $in_content_medias );ws\list.medias.php:87
unserialize$in_postmeta_medias = ( empty( $in_postmeta_medias ) ) ? array() : unserialize( $in_postmeta_medias ws\list.medias.php:94
unserialize$in_usermeta_medias = ( empty( $in_usermeta_medias ) ) ? array() : unserialize( $in_usermeta_medias ws\list.medias.php:101
unserialize$in_option_medias = ( empty( $in_option_medias ) ) ? array() : unserialize( $in_option_medias );ws\list.medias.php:108

SQL Query Safety

86% prepared29 total queries

Output Escaping

0% escaped16 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<list.medias> (ws\list.medias.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

Clean Unused Medias Attack Surface

Entry Points10
Unprotected10

AJAX Handlers 10

authwp_ajax_lnjcm_list_mediaslibrary\functions.php:686
noprivwp_ajax_lnjcm_list_mediaslibrary\functions.php:687
authwp_ajax_lnjcm_do_delete_mediaslibrary\functions.php:697
noprivwp_ajax_lnjcm_do_delete_mediaslibrary\functions.php:698
authwp_ajax_lnjcm_crawl_mediaslibrary\functions.php:708
noprivwp_ajax_lnjcm_crawl_mediaslibrary\functions.php:709
authwp_ajax_lnjcm_crawl_medias_change_statuslibrary\functions.php:719
noprivwp_ajax_lnjcm_crawl_medias_change_statuslibrary\functions.php:720
authwp_ajax_lnjcm_get_medias_used_inlibrary\functions.php:730
noprivwp_ajax_lnjcm_get_medias_used_inlibrary\functions.php:731
WordPress Hooks 12
actioninitclean-unused-medias.php:52
actioninitlibrary\functions.php:12
actionlnjcm_check_medias_in_contentlibrary\functions.php:22
actioninitlibrary\functions.php:211
actionadmin_print_scriptslibrary\functions.php:476
actionadmin_print_styleslibrary\functions.php:488
actionadmin_footerlibrary\functions.php:509
actionadmin_menulibrary\functions.php:518
filtermanage_media_columnslibrary\functions.php:572
actionmanage_media_custom_columnlibrary\functions.php:573
actionadmin_initlibrary\functions.php:575
filterplugin_action_links_clean-unused-medias/clean-unused-medias.phplibrary\functions.php:744

Scheduled Events 2

lnjcm_check_medias_in_content
lnjcm_check_medias_in_content
Maintenance & Trust

Clean Unused Medias Maintenance & Trust

Maintenance Signals

WordPress version tested5.8.13
Last updatedJul 20, 2021
PHP min version
Downloads8K

Community Trust

Rating76/100
Number of ratings5
Active installs100
Alternatives

Clean Unused Medias Alternatives

Delete Post with Attachments

Delete Post with Attachments

delete-post-with-attachments

A
100

A simple plugin to delete attached media files e.g. images/videos/documents, when the post is deleted. Supports Elementor, Divi Builder, Thrive Archit &hellip;

1K No CVEs
whatwedo ACF Cleaner

whatwedo ACF Cleaner

whatwedo-acf-cleaner

A
92

Cleanup old metadata created by Advanced Custom Fields.

800 No CVEs
Advanced Custom Fields: Real Media Library Folder Field

Advanced Custom Fields: Real Media Library Folder Field

acf-real-media-library-field

A
85

Media library folder field for Advanced Custom Fields (ACF). Folder created by Real Media Library.

200 No CVEs
Advance Importer

Advance Importer

advance-importer

A
100

A powerful plugin for import and export Post, Page, any Custom post type data, with any kind of attachments.

10 No CVEs
MCOD Delete Media by Content

MCOD Delete Media by Content

mcod-bulk-delete-media-by-content

A
100

Bulk delete WordPress media files linked to any post type. Clean your media library in batches with smart exclusions and WooCommerce/ACF support.

0 No CVEs
Developer Profile

Clean Unused Medias Developer Profile

xuxu.fr

4 plugins · 180 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Clean Unused Medias

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/clean-unused-medias/library/css/admin.css/wp-content/plugins/clean-unused-medias/library/js/admin.js
Version Parameters
clean-unused-medias/library/css/admin.css?ver=clean-unused-medias/library/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
lnjcm-admin-content
JS Globals
lnjcm_delete_all_unused_medias_confirmlnjcm_delete_all_unused_medias
FAQ

Frequently Asked Questions about Clean Unused Medias