WP-Safety

File Un-Attach Security & Risk Analysis

wordpress.org/plugins/file-un-attach

This plugin will allow you to attach a single file to multiple posts, but will also will allow you to detach any file.

400 active installs v1.1.3 PHP + WP 3.0.0+ Updated Aug 13, 2015
attachattachedgalleryimageunattach
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is File Un-Attach Safe to Use in 2026?

Generally Safe

Score 85/100

File Un-Attach has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The "file-un-attach" plugin v1.1.3 exhibits a generally good security posture with no known historical vulnerabilities. The static analysis reveals a limited attack surface, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events. This indicates a deliberate effort to minimize potential entry points for attackers. Furthermore, the majority of SQL queries utilize prepared statements, and a reasonable percentage of outputs are properly escaped, demonstrating adherence to some secure coding practices.

However, the analysis does flag a critical concern with the presence of the `unserialize` function. While the static analysis doesn't explicitly show an unsanitized path leading to this function, the mere use of `unserialize` on potentially untrusted data is a significant risk. It's possible that unsanitized data could be passed to `unserialize`, leading to Remote Code Execution (RCE) or other severe vulnerabilities. The taint analysis also indicates one flow with an unsanitized path, which, while not classified as critical or high, still warrants attention as it represents a potential weakness.

In conclusion, the plugin's lack of historical vulnerabilities and its minimal attack surface are positive signs. Nevertheless, the identified use of `unserialize` and the single unsanitized taint flow represent critical potential weaknesses that could be exploited. Further investigation into how data is passed to `unserialize` is highly recommended to fully assess and mitigate these risks.

Key Concerns

  • Use of unserialize function
  • Flows with unsanitized paths
  • Output escaping is not fully proper (68%)
Vulnerabilities
None known

File Un-Attach Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

File Un-Attach Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
5 prepared
Unescaped Output
44
94 escaped
Nonce Checks
6
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$attachment = unserialize($attachment);inc\front.php:132

SQL Query Safety

71% prepared7 total queries

Output Escaping

68% escaped138 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths
init_actions (inc\admin.php:283)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

File Un-Attach Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 16
actioninitfile-unattach.php:58
filterattachment_fields_to_editinc\admin.php:29
actionpre_get_postsinc\admin.php:34
actionadmin_initinc\admin.php:38
actionadmin_footerinc\admin.php:39
actionwp_enqueue_mediainc\admin.php:40
actionadmin_print_scriptsinc\admin.php:41
actionmanage_media_custom_columninc\admin.php:42
actionattachment_submitbox_misc_actionsinc\admin.php:43
filtermedia_upload_tabsinc\admin.php:45
filtermanage_upload_columnsinc\admin.php:46
actionadmin_footerinc\admin.php:66
actionpre_get_postsinc\front.php:20
actionpost-plupload-upload-uiinc\media-template.3.9.php:82
actionpost-plupload-upload-uiinc\media-template.4.0.php:96
actionpost-plupload-upload-uiinc\media-template.php:71
Maintenance & Trust

File Un-Attach Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedAug 13, 2015
PHP min version
Downloads33K

Community Trust

Rating88/100
Number of ratings12
Active installs400
Alternatives

File Un-Attach Alternatives

Auto Delete Unattached Media

Auto Delete Unattached Media

auto-delete-unattached-media

A
85

Automatically delete unattached/unused media/images/attachments every minute silently in the background.

30 No CVEs
Lightbox with PhotoSwipe

Lightbox with PhotoSwipe

lightbox-photoswipe

A
100

Integration of PhotoSwipe (http://photoswipe.com) for WordPress.

20K No CVEs
Import external attachments

Import external attachments

import-external-attachments

D
41

Makes local copies of all the linked images and pdfs in a post, adding them as gallery attachments.

2K 2 unpatched
PhotoSwipe

PhotoSwipe

photo-swipe

A
85

A very light implementation of PhotoSwipe javascript plugin for WordPress

1K No CVEs
Gallery Widget

Gallery Widget

gallery-widget

C
63

Simple widget to show the latest/random images of the WordPress media library as a Widget, using a shortcode or directly with a php-function.

500 1 unpatched
Developer Profile

File Un-Attach Developer Profile

markethax

9 plugins · 12K total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect File Un-Attach

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/file-un-attach/css/file-unattach.css/wp-content/plugins/file-un-attach/js/file-unattach.js/wp-content/plugins/file-un-attach/js/file-unattach.min.js
Script Paths
/wp-content/plugins/file-un-attach/js/file-unattach.js/wp-content/plugins/file-un-attach/js/file-unattach.min.js
Version Parameters
file-unattach/css/file-unattach.css?ver=file-unattach/js/file-unattach.js?ver=

HTML / DOM Fingerprints

CSS Classes
fun-attachattached-listfun-unattach-rowfun-find-posts
Data Attributes
id="attached-list-class="attached-list"id="file-unattch-class="fun-unattach-row"id="fun-find-posts-
JS Globals
window.fun_wp_versionwindow.fun_max_upload_size
FAQ

Frequently Asked Questions about File Un-Attach