WP-Safety

Media Cloud Sync Security & Risk Analysis

wordpress.org/plugins/media-cloud-sync

Offload media to cloud storage (S3, DigitalOcean, Google Cloud, Cloudflare R2, S3 compatible Services) and rewrite URLs for seamless file delivery.

900 active installs v1.3.8 PHP 7.4+ WP 5.2+ Updated Mar 29, 2026
awscloudmediaoffloadsync
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Media Cloud Sync Safe to Use in 2026?

Generally Safe

Score 100/100

Media Cloud Sync has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

This plugin exhibits a generally positive security posture with no publicly known vulnerabilities. The static analysis reveals a small attack surface, with all identified entry points having appropriate authentication checks. The use of prepared statements for the majority of SQL queries and proper output escaping for most outputs are also good practices.

However, there are several areas of concern within the code. The presence of a significant number of dangerous functions, including `unserialize`, `assert`, and various shell execution functions, indicates a potential for severe vulnerabilities if not handled with extreme care. While taint analysis did not reveal any flows in this specific scan, the presence of these functions creates a latent risk. The plugin also performs numerous file operations and makes an external HTTP request, which, combined with the dangerous functions, could be exploited if an attacker can influence the input to these operations.

Given the lack of historical vulnerabilities, it's possible the developers are diligent in their secure coding practices. Nevertheless, the static analysis highlights inherent risks due to the nature of the functions used. The strength lies in the limited attack surface and existing checks, but the weakness lies in the powerful, potentially dangerous functions that, if misused, could lead to critical security issues.

Key Concerns

  • Significant number of dangerous functions present
  • Notable number of file operations
  • External HTTP request present
  • Only one nonce check found
  • Bundled Guzzle library (potential for outdated versions)
Vulnerabilities
None known

Media Cloud Sync Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Media Cloud Sync Release Timeline

v1.3.8Current
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.2.13
v1.2.12
v1.2.11
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.6
v1.2.5
v1.2.4
v1.2.3
Code Analysis
Analyzed Mar 16, 2026

Media Cloud Sync Code Analysis

Dangerous Functions
32
Raw SQL Queries
11
39 prepared
Unescaped Output
10
43 escaped
Nonce Checks
1
Capability Checks
3
File Operations
97
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserializereturn @unserialize( $data, array( 'allowed_classes' => false ) ); // @phpcs:ignoreincludes\config\utils.php:836
assertassert($bin !== \false);includes\sdk\google\brick\math\src\BigInteger.php:916
assertassert($denominator !== null);includes\sdk\google\brick\math\src\BigNumber.php:65
assertassert($q !== null);includes\sdk\google\brick\math\src\Internal\Calculator\BcMathCalculator.php:71
assertassert($r !== null);includes\sdk\google\brick\math\src\Internal\Calculator\BcMathCalculator.php:72
assertassert(is_int($q));includes\sdk\google\brick\math\src\Internal\Calculator\NativeCalculator.php:155
assertassert($carry === 0);includes\sdk\google\brick\math\src\Internal\Calculator\NativeCalculator.php:341
execexec(implode(' ', $cmd), $output, $returnVar);includes\sdk\google\google\auth\src\CredentialsLoader.php:193
proc_open$procs[$job->identifier()][$i] = proc_open(sprintf('%s %d', $this->command, $job->id()), $this->descincludes\sdk\google\google\cloud-core\src\Batch\BatchDaemon.php:104
unserialize$items[] = unserialize(file_get_contents($message));includes\sdk\google\google\cloud-core\src\Batch\BatchJob.php:112
unserialize$a = unserialize($line);includes\sdk\google\google\cloud-core\src\Batch\Retry.php:63
assertassert($flattenedKeySegmentTuplesCount > 0);includes\sdk\google\google\gax\src\ResourceTemplate\RelativeResourceTemplate.php:148
assertassert($segment->getSegmentType() !== Segment::VARIABLE_SEGMENT);includes\sdk\google\google\gax\src\ResourceTemplate\RelativeResourceTemplate.php:159
assertassert($nestedSegment->getSegmentType() !== Segment::VARIABLE_SEGMENT);includes\sdk\google\google\gax\src\ResourceTemplate\RelativeResourceTemplate.php:287
unserialize$gcp_call_invoker = unserialize($item->get());includes\sdk\google\google\grpc-gcp\src\Config.php:58
proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);includes\sdk\google\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104
unserialize$data = unserialize($serialized, ['allowed_classes' => \false]);includes\sdk\google\ramsey\collection\src\AbstractArray.php:153
unserialize$data = unserialize($serialized, ['allowed_classes' => [$this->getType()]]);includes\sdk\google\ramsey\collection\src\AbstractCollection.php:223
unserialize$data = unserialize($serialized, ['allowed_classes' => [BrickMathCalculator::class, GenericNumberConincludes\sdk\google\ramsey\uuid\src\Builder\BuilderCollection.php:56
assertassert($instance instanceof UuidV6);includes\sdk\google\ramsey\uuid\src\Lazy\LazyUuidFromString.php:417
assertassert($instance instanceof UuidV6);includes\sdk\google\ramsey\uuid\src\Lazy\LazyUuidFromString.php:423
shell_execreturn trim((string) shell_exec('id -u'));includes\sdk\google\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:88
shell_execreturn trim((string) shell_exec('id -g'));includes\sdk\google\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:106
shell_exec$response = shell_exec('whoami /user /fo csv /nh');includes\sdk\google\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:142
shell_exec$response = shell_exec('net user %username% | findstr /b /i "Local Group Memberships"');includes\sdk\google\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:165
shell_exec$response = shell_exec('wmic group get name,sid | findstr /b /i ' . escapeshellarg($firstGroup));includes\sdk\google\ramsey\uuid\src\Provider\Dce\SystemDceSecurityProvider.php:175
unserialize$data = unserialize($serialized, ['allowed_classes' => [Hexadecimal::class, RandomNodeProvider::clasincludes\sdk\google\ramsey\uuid\src\Provider\Node\NodeProviderCollection.php:41
passthrupassthru('ipconfig /all 2>&1');includes\sdk\google\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:90
passthrupassthru('ifconfig 2>&1');includes\sdk\google\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:93
passthrupassthru('netstat -i -f link 2>&1');includes\sdk\google\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:96
passthrupassthru('netstat -ie 2>&1');includes\sdk\google\ramsey\uuid\src\Provider\Node\SystemNodeProvider.php:100
assertassert($uuid !== '');includes\sdk\google\ramsey\uuid\src\Uuid.php:403

Bundled Libraries

Guzzle

SQL Query Safety

78% prepared50 total queries

Output Escaping

81% escaped53 total outputs
Attack Surface

Media Cloud Sync Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpmcs_get_attachment_detailsincludes\integrations\media-library.php:77
WordPress Hooks 97
filteradmin_body_classincludes\admin.php:34
actionadmin_initincludes\admin.php:36
actionadmin_menuincludes\admin.php:38
actionadmin_enqueue_scriptsincludes\admin.php:40
actionadmin_enqueue_scriptsincludes\admin.php:41
actionload-upload.phpincludes\admin.php:43
actionadmin_footerincludes\admin.php:46
actionwp_initialize_siteincludes\admin.php:50
actionwpmu_new_blogincludes\admin.php:51
actionrest_api_initincludes\api.php:24
filtercron_schedulesincludes\base\bg-runner.php:21
actioninitincludes\base\bg-runner.php:30
actionadmin_noticesincludes\base\services\gcloud.php:78
filterwpmcs_get_attached_file_noopincludes\compatbility\compatibility.php:46
filterwpmcs_get_attached_fileincludes\compatbility\compatibility.php:47
filterwpmcs_get_attached_fileincludes\compatbility\compatibility.php:48
filterwpmcs_pre_update_item_additional_files_to_remove_from_serverincludes\compatbility\compatibility.php:49
filterattachment_url_to_postidincludes\compatbility\compatibility.php:55
filterwpmcs_get_attached_fileincludes\compatbility\compatibility.php:61
filterwpmcs_get_attached_fileincludes\compatbility\compatibility.php:67
filterrest_dispatch_requestincludes\compatbility\compatibility.php:72
filterrest_request_after_callbacksincludes\compatbility\compatibility.php:73
filterwpmcs_wait_for_generate_attachment_metadataincludes\compatbility\compatibility.php:74
filterwpmcs_get_attached_file_copy_back_to_serverincludes\compatbility\compatibility.php:279
filterwpmcs_get_attached_file_copy_back_to_serverincludes\compatbility\compatibility.php:288
filterwp_generate_attachment_metadataincludes\compatbility\compatibility.php:290
actionthe_postincludes\filters\content.php:36
filtercontent_paginationincludes\filters\content.php:37
filterthe_contentincludes\filters\content.php:38
filterthe_excerptincludes\filters\content.php:39
filterrss_enclosureincludes\filters\content.php:40
filtercontent_edit_preincludes\filters\content.php:41
filterexcerpt_edit_preincludes\filters\content.php:42
filterwpmcs_filter_postincludes\filters\content.php:43
filtercontent_save_preincludes\filters\content.php:46
filterexcerpt_save_preincludes\filters\content.php:47
filterwpmcs_enable_backward_url_replacementincludes\filters\content.php:81
actionwp_enqueue_scriptsincludes\front.php:22
actionwp_enqueue_scriptsincludes\front.php:23
actioninitincludes\front.php:25
filteracf/load_value/type=textincludes\integrations\acf.php:49
filteracf/load_value/type=textareaincludes\integrations\acf.php:50
filteracf/load_value/type=wysiwygincludes\integrations\acf.php:51
filteracf/load_value/type=urlincludes\integrations\acf.php:52
filteracf/load_value/type=linkincludes\integrations\acf.php:53
filteracf/update_value/type=textincludes\integrations\acf.php:54
filteracf/update_value/type=textareaincludes\integrations\acf.php:55
filteracf/update_value/type=wysiwygincludes\integrations\acf.php:56
filteracf/update_value/type=urlincludes\integrations\acf.php:57
filteracf/update_value/type=linkincludes\integrations\acf.php:58
filterwp_get_attachment_metadataincludes\integrations\acf.php:65
filtersanitize_file_nameincludes\integrations\acf.php:66
filteracf/load_fieldsincludes\integrations\acf.php:72
filteracf/load_field_groupincludes\integrations\acf.php:73
filterimagify_webp_picture_process_imageincludes\integrations\imagify.php:42
filterimagify_cdnincludes\integrations\imagify.php:47
actionimagify_before_optimizeincludes\integrations\imagify.php:54
filterimagify_before_optimize_sizeincludes\integrations\imagify.php:57
filterwpmcs_pre_update_item_additional_files_to_remove_from_serverincludes\integrations\imagify.php:60
actionimagify_after_optimizeincludes\integrations\imagify.php:63
actionimagify_after_optimizeincludes\integrations\imagify.php:66
actionimagify_after_restore_mediaincludes\integrations\imagify.php:72
filterwpmcs_get_itemincludes\integrations\imagify.php:77
filtermime_typesincludes\integrations\imagify.php:78
filterwpmcs_get_attached_fileincludes\integrations\imagify.php:92
filterwpmcs_do_reupload_mediaincludes\integrations\imagify.php:427
actionattachment_submitbox_misc_actionsincludes\integrations\media-library.php:75
filterwp_get_attachment_urlincludes\integrations\media-library.php:80
filterwp_get_attachment_image_attributesincludes\integrations\media-library.php:81
filterget_image_tagincludes\integrations\media-library.php:82
filterwp_get_attachment_image_srcincludes\integrations\media-library.php:83
filterwp_prepare_attachment_for_jsincludes\integrations\media-library.php:84
filterimage_get_intermediate_sizeincludes\integrations\media-library.php:85
filterget_attached_fileincludes\integrations\media-library.php:86
filterwp_get_original_image_pathincludes\integrations\media-library.php:87
filterwp_video_shortcodeincludes\integrations\media-library.php:88
filterwp_audio_shortcodeincludes\integrations\media-library.php:89
filterwp_calculate_image_srcsetincludes\integrations\media-library.php:94
filterwp_image_file_matches_image_metaincludes\integrations\media-library.php:97
filtershortcode_atts_audioincludes\integrations\media-library.php:100
filtershortcode_atts_videoincludes\integrations\media-library.php:101
filterwp_unique_filenameincludes\integrations\media-library.php:105
filterwp_update_attachment_metadataincludes\integrations\media-library.php:106
filterpre_delete_attachmentincludes\integrations\media-library.php:107
filterdelete_attachmentincludes\integrations\media-library.php:108
actiondelete_postincludes\integrations\media-library.php:109
filterupdate_attached_fileincludes\integrations\media-library.php:110
actionwpmcs_do_update_attachment_metadataincludes\integrations\media-library.php:112
filterget_post_metadataincludes\integrations\media-library.php:289
filterwoocommerce_resize_imagesincludes\integrations\woocommerce.php:41
filterwpmcs_get_attached_fileincludes\integrations\woocommerce.php:47
filterwpmcs_get_attached_fileincludes\integrations\woocommerce.php:69
actioninitincludes\main.php:39
actionrest_api_initincludes\main.php:40
actionplugins_loadedmedia-cloud-sync.php:38
actionadmin_noticesmedia-cloud-sync.php:41
actionadmin_noticesmedia-cloud-sync.php:44
Maintenance & Trust

Media Cloud Sync Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 29, 2026
PHP min version7.4
Downloads9K

Community Trust

Rating98/100
Number of ratings12
Active installs900
Alternatives

Media Cloud Sync Alternatives

SmartSync Lite – Offload media cloud storage using AWS S3, Digital Ocean Spaces

SmartSync Lite – Offload media cloud storage using AWS S3, Digital Ocean Spaces

smartsync-lite-media-offloader-and-assets-cdn

A
100

SmartSync Lite makes it incredibly easy to offload your WordPress media library to Amazon S3 or DigitalOcean Spaces—no technical expertise required! T …

10 No CVEs
Advanced Media Offloader

Advanced Media Offloader

advanced-media-offloader

A
100

Save server space & speed up your site by automatically offloading media to Amazon S3, Cloudflare R2 & more.

4K No CVEs
Offload Media – Cloud Storage

Offload Media – Cloud Storage

offload-media-cloud-storage

A
100

Offload Media moves your WordPress files to cloud storage (AWS S3, DigitalOcean, Cloudflare R2, Google Cloud) to improve site performance.

1K No CVEs
Infinite Uploads – Offload Media and Video to Cloud Storage

Infinite Uploads – Offload Media and Video to Cloud Storage

infinite-uploads

A
100

Move, encode, and serve all your video and other media files from the cloud to boost performance and save on storage.

800 No CVEs
CloudSync Master – Offload Media to S3, Cloudflare R2 & Google Cloud

CloudSync Master – Offload Media to S3, Cloudflare R2 & Google Cloud

wp-cloudsync-master

A
100

Speed up WordPress by offloading media to Cloudflare R2, Amazon S3, Google Cloud & 7 more. Zero egress fees. Migrate from WP Offload Media in one …

10 No CVEs
Developer Profile

Media Cloud Sync Developer Profile

dudlewebs

1 plugin · 900 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Media Cloud Sync

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/media-cloud-sync/assets/css/wpmcs-admin.css/wp-content/plugins/media-cloud-sync/assets/js/wpmcs-admin.js/wp-content/plugins/media-cloud-sync/assets/js/wpmcs-media.js
Script Paths
/wp-content/plugins/media-cloud-sync/assets/js/wpmcs-admin.js/wp-content/plugins/media-cloud-sync/assets/js/wpmcs-media.js
Version Parameters
media-cloud-sync/assets/css/wpmcs-admin.css?ver=media-cloud-sync/assets/js/wpmcs-admin.js?ver=media-cloud-sync/assets/js/wpmcs-media.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpmcs-admin-pagewpmcs-admin-uiwpmcs-deactivation-form-wrap
HTML Comments
<!-- Silence is golden. -->
Data Attributes
data-wpmcs-media-providerdata-wpmcs-media-iddata-wpmcs-media-sync-status
JS Globals
wpmcs_media_vars
FAQ

Frequently Asked Questions about Media Cloud Sync