WP-Safety

Media Folder Security & Risk Analysis

wordpress.org/plugins/media-folder

Attach media files to a common parent post, easily upload and list the content of the folder. Useful for making sliders that clients can manage or lis …

100 active installs v1.0.0 PHP + WP 3.0.1+ Updated Dec 21, 2016
custom-post-type-media-slider-attachements
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEJul 7, 2025
Plugin page Download
Safety Verdict

Is Media Folder Safe to Use in 2026?

Use With Caution

Score 63/100

Media Folder has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jul 7, 2025Updated 9yr ago
Risk Assessment

The 'media-folder' plugin v1.0.0 presents a mixed security posture. On the positive side, the plugin has a limited attack surface with only one entry point (a shortcode) and no unprotected AJAX handlers or REST API routes. It also avoids dangerous functions and external HTTP requests, and doesn't bundle libraries. However, significant concerns arise from its handling of SQL queries and output escaping. The single SQL query is not using prepared statements, which is a substantial risk for SQL injection, especially given the lack of explicit capability checks on this query if it handles user-supplied data. Furthermore, only 20% of output is properly escaped, indicating a high likelihood of cross-site scripting (XSS) vulnerabilities.

The vulnerability history further exacerbates these concerns. The plugin has a known medium-severity CVE for Cross-Site Scripting, and critically, this vulnerability remains unpatched as of the last reported date. The fact that the most recent vulnerability is an XSS issue aligns with the poor output escaping observed in the static analysis. This pattern suggests a recurring weakness in how the plugin sanitizes and outputs user-provided data, making it susceptible to persistent or reflected XSS attacks. While the plugin has strengths in limiting its attack surface, the unpatched XSS vulnerability and the insecure SQL query handling are critical weaknesses that demand immediate attention.

Key Concerns

  • Unpatched CVE: Medium
  • Raw SQL without prepared statements
  • Low percentage of properly escaped output
  • Flow with unsanitized path
  • Missing nonce checks (if applicable to shortcode)
Vulnerabilities
1

Media Folder Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-52786medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Media Folder <= 1.0.0 - Reflected Cross-Site Scripting

Jul 7, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Media Folder Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
8
2 escaped
Nonce Checks
0
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

20% escaped10 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
upload_meta_box (admin\class-media-folder-admin.php:190)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Media Folder Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[media_folder] media-folder.php:39
WordPress Hooks 13
filterparse_queryincludes\class-media-folder-list-table.php:38
actionplugins_loadedincludes\class-media-folder.php:145
actionadd_meta_boxesincludes\class-media-folder.php:160
actionadmin_headincludes\class-media-folder.php:161
actionedit_form_after_titleincludes\class-media-folder.php:162
actionedit_form_after_editorincludes\class-media-folder.php:163
actionsave_postincludes\class-media-folder.php:164
actionadmin_enqueue_scriptsincludes\class-media-folder.php:165
actionadmin_enqueue_scriptsincludes\class-media-folder.php:166
actionwp_enqueue_scriptsincludes\class-media-folder.php:181
actionwp_enqueue_scriptsincludes\class-media-folder.php:182
actioninitmedia-folder.php:42
actioninitmedia-folder.php:53
Maintenance & Trust

Media Folder Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedDec 21, 2016
PHP min version
Downloads12K

Community Trust

Rating100/100
Number of ratings1
Active installs100
Alternatives

Media Folder Alternatives

No alternatives data available yet.

Developer Profile

Media Folder Developer Profile

Kingdom Creation

2 plugins · 110 total installs

76
trust score
Avg Security Score
74/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Media Folder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/media-folder/css/media-folder-admin.css/wp-content/plugins/media-folder/js/media-folder-admin.js
Script Paths
/wp-content/plugins/media-folder/js/media-folder-admin.js
Version Parameters
media-folder-admin.css?ver=media-folder-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
media-upload-formtype-form
HTML Comments
Override for preview * * If the $_GET['preview_id'] is set, then the user wants to see the preview data. * There is also the case of previewing a page with post_id = 1, but using get_field * to load data from another post_id. * In this case, we need to make sure that the autosave revision is actually related * to the $post_id variable. If they match, then the autosave data will be used, otherwise, * the user wants to load data from a completely different post_id
Data Attributes
id="file-form"
FAQ

Frequently Asked Questions about Media Folder