[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fwJzctDhtd_O9fjdLABSdmhkRsAn8YS7EitqF-f4MVBY":3},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":11,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":20,"download_link":21,"security_score":22,"vuln_count":13,"unpatched_count":13,"last_vuln_date":23,"fetched_at":24,"vulnerabilities":25,"developer":40,"crawl_stats":31,"alternatives":48,"analysis":49,"fingerprints":189},"media-folder","Media Folder","1.0.0","Kingdom Creation","https:\u002F\u002Fprofiles.wordpress.org\u002Fkingdomcreation\u002F","\u003Cp>Attach media files to a common parent post, easily upload and list the content of the folder using a shortcode. This plugin is intended for developers to use as it will facilitate the client to add pictures to a slider for instance. Media Folder offers the possibility to virtually group attachements behing to a single hidden post type, the “folder”.\u003C\u002Fp>\n","Attach media files to a common parent post, easily upload and list the content of the folder. Useful for making sliders that clients can manage or lis …",100,12452,1,"2016-12-21T02:03:00.000Z","4.8.28","3.0.1","",[19],"custom-post-type-media-slider-attachements","http:\u002F\u002Fwww.globalsecuresystem.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-folder.1.0.0.zip",63,"2025-07-07 00:00:00","2026-03-15T15:16:48.613Z",[26],{"id":27,"url_slug":28,"title":29,"description":30,"plugin_slug":4,"theme_slug":31,"affected_versions":32,"patched_in_version":31,"severity":33,"cvss_score":34,"cvss_vector":35,"vuln_type":36,"published_date":23,"updated_date":37,"references":38,"days_to_patch":31},"CVE-2025-52786","media-folder-reflected-cross-site-scripting","Media Folder \u003C= 1.0.0 - Reflected Cross-Site Scripting","The Media Folder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",null,"\u003C=1.0.0","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2025-07-17 12:52:06",[39],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbe62e2ea-0861-4815-b98a-1ea508df952d?source=api-prod",{"slug":41,"display_name":7,"profile_url":8,"plugin_count":42,"total_installs":43,"avg_security_score":44,"avg_patch_time_days":45,"trust_score":46,"computed_at":47},"kingdomcreation",2,110,74,30,76,"2026-04-04T16:24:31.369Z",[],{"attackSurface":50,"codeSignals":105,"taintFlows":134,"riskAssessment":171,"analyzedAt":188},{"hooks":51,"ajaxHandlers":96,"restRoutes":97,"shortcodes":98,"cronEvents":103,"entryPointCount":13,"unprotectedCount":104},[52,57,63,66,69,72,75,78,81,83,86,88,93],{"type":53,"name":54,"callback":54,"file":55,"line":56},"filter","parse_query","includes\\class-media-folder-list-table.php",38,{"type":58,"name":59,"callback":60,"file":61,"line":62},"action","plugins_loaded","anonymous","includes\\class-media-folder.php",145,{"type":58,"name":64,"callback":60,"file":61,"line":65},"add_meta_boxes",160,{"type":58,"name":67,"callback":60,"file":61,"line":68},"admin_head",161,{"type":58,"name":70,"callback":60,"file":61,"line":71},"edit_form_after_title",162,{"type":58,"name":73,"callback":60,"file":61,"line":74},"edit_form_after_editor",163,{"type":58,"name":76,"callback":60,"file":61,"line":77},"save_post",164,{"type":58,"name":79,"callback":60,"file":61,"line":80},"admin_enqueue_scripts",165,{"type":58,"name":79,"callback":60,"file":61,"line":82},166,{"type":58,"name":84,"callback":60,"file":61,"line":85},"wp_enqueue_scripts",181,{"type":58,"name":84,"callback":60,"file":61,"line":87},182,{"type":58,"name":89,"callback":90,"file":91,"line":92},"init","media_folder_shortcode","media-folder.php",42,{"type":58,"name":89,"callback":94,"file":91,"line":95},"register_media_folder",53,[],[],[99],{"tag":100,"callback":101,"file":91,"line":102},"media_folder","Media_Folder_Shortcode::shortcode",39,[],0,{"dangerousFunctions":106,"sqlUsage":107,"outputEscaping":113,"fileOperations":104,"externalRequests":104,"nonceChecks":104,"capabilityChecks":13,"bundledLibraries":133},[],{"prepared":104,"raw":13,"locations":108},[109],{"file":110,"line":111,"context":112},"admin\\class-media-folder-admin.php",286,"$wpdb->get_results() with variable interpolation",{"escaped":42,"rawEcho":114,"locations":115},8,[116,119,121,123,125,127,130,132],{"file":110,"line":117,"context":118},211,"raw output",{"file":110,"line":120,"context":118},212,{"file":110,"line":122,"context":118},218,{"file":110,"line":124,"context":118},220,{"file":110,"line":126,"context":118},223,{"file":128,"line":129,"context":118},"includes\\class-media-folder-shortcode.php",56,{"file":128,"line":131,"context":118},57,{"file":128,"line":131,"context":118},[],[135,153],{"entryPoint":136,"graph":137,"unsanitizedCount":152,"severity":33},"upload_meta_box (admin\\class-media-folder-admin.php:190)",{"nodes":138,"edges":149},[139,144],{"id":140,"type":141,"label":142,"file":110,"line":143},"n0","source","$_GET (x4)",200,{"id":145,"type":146,"label":147,"file":110,"line":117,"wp_function":148},"n1","sink","echo() [XSS]","echo",[150],{"from":140,"to":145,"sanitized":151},false,4,{"entryPoint":154,"graph":155,"unsanitizedCount":104,"severity":170},"\u003Cclass-media-folder-admin> (admin\\class-media-folder-admin.php:0)",{"nodes":156,"edges":166},[157,158,159,162],{"id":140,"type":141,"label":142,"file":110,"line":143},{"id":145,"type":146,"label":147,"file":110,"line":117,"wp_function":148},{"id":160,"type":141,"label":161,"file":110,"line":143},"n2","$_GET",{"id":163,"type":146,"label":164,"file":110,"line":111,"wp_function":165},"n3","get_results() [SQLi]","get_results",[167,169],{"from":140,"to":145,"sanitized":168},true,{"from":160,"to":163,"sanitized":168},"low",{"summary":172,"deductions":173},"The 'media-folder' plugin v1.0.0 presents a mixed security posture.  On the positive side, the plugin has a limited attack surface with only one entry point (a shortcode) and no unprotected AJAX handlers or REST API routes. It also avoids dangerous functions and external HTTP requests, and doesn't bundle libraries.  However, significant concerns arise from its handling of SQL queries and output escaping. The single SQL query is not using prepared statements, which is a substantial risk for SQL injection, especially given the lack of explicit capability checks on this query if it handles user-supplied data.  Furthermore, only 20% of output is properly escaped, indicating a high likelihood of cross-site scripting (XSS) vulnerabilities.\n\nThe vulnerability history further exacerbates these concerns. The plugin has a known medium-severity CVE for Cross-Site Scripting, and critically, this vulnerability remains unpatched as of the last reported date. The fact that the most recent vulnerability is an XSS issue aligns with the poor output escaping observed in the static analysis. This pattern suggests a recurring weakness in how the plugin sanitizes and outputs user-provided data, making it susceptible to persistent or reflected XSS attacks. While the plugin has strengths in limiting its attack surface, the unpatched XSS vulnerability and the insecure SQL query handling are critical weaknesses that demand immediate attention.",[174,177,180,183,186],{"reason":175,"points":176},"Unpatched CVE: Medium",15,{"reason":178,"points":179},"Raw SQL without prepared statements",7,{"reason":181,"points":182},"Low percentage of properly escaped output",6,{"reason":184,"points":185},"Flow with unsanitized path",5,{"reason":187,"points":185},"Missing nonce checks (if applicable to shortcode)","2026-03-16T20:39:52.183Z",{"wat":190,"direct":199},{"assetPaths":191,"generatorPatterns":194,"scriptPaths":195,"versionParams":196},[192,193],"\u002Fwp-content\u002Fplugins\u002Fmedia-folder\u002Fcss\u002Fmedia-folder-admin.css","\u002Fwp-content\u002Fplugins\u002Fmedia-folder\u002Fjs\u002Fmedia-folder-admin.js",[],[193],[197,198],"media-folder-admin.css?ver=","media-folder-admin.js?ver=",{"cssClasses":200,"htmlComments":203,"htmlAttributes":205,"restEndpoints":207,"jsGlobals":208,"shortcodeOutput":209},[201,202],"media-upload-form","type-form",[204]," Override for preview\n\t\t*  \n\t\t*  If the $_GET['preview_id'] is set, then the user wants to see the preview data.\n\t\t*  There is also the case of previewing a page with post_id = 1, but using get_field\n\t\t*  to load data from another post_id.\n\t\t*  In this case, we need to make sure that the autosave revision is actually related\n\t\t*  to the $post_id variable. If they match, then the autosave data will be used, otherwise, \n\t\t*  the user wants to load data from a completely different post_id\n\t\t",[206],"id=\"file-form\"",[],[],[]]