Does Media Hygiene: Remove or Delete Unused Images and More! have any unpatched vulnerabilities?

No. All known vulnerabilities in Media Hygiene: Remove or Delete Unused Images and More! have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Media Hygiene: Remove or Delete Unused Images and More! compatible with WordPress 6.8.5?

According to WordPress.org data, Media Hygiene: Remove or Delete Unused Images and More! 4.0.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Media Hygiene: Remove or Delete Unused Images and More! compatible with PHP 7.4+?

Media Hygiene: Remove or Delete Unused Images and More! requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

Media Hygiene: Remove or Delete Unused Images and More! Security Review

Safety Verdict

Is Media Hygiene: Remove or Delete Unused Images and More! Safe to Use in 2026?

Generally Safe

Score 97/100

Media Hygiene: Remove or Delete Unused Images and More! has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jun 19, 2025Updated 11mo ago

Risk Assessment

The "media-hygiene" plugin v4.0.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices such as extensive use of prepared statements for SQL queries and proper output escaping, with 75% and 90% respectively. The presence of nonces and capability checks on all identified AJAX handlers is also a strong security indicator. However, a significant concern arises from the discovery of one AJAX handler lacking authentication checks, creating a direct entry point for unauthorized actions. Furthermore, taint analysis revealed two high-severity flows with unsanitized paths, indicating potential for injection vulnerabilities if these flows are exposed to user input.

The vulnerability history of this plugin is a notable red flag. While the latest known vulnerability was in 2025, the fact that one out of three total CVEs remains unpatched is a critical issue. The prevalence of "Missing Authorization" as a common vulnerability type in its history suggests a recurring pattern of oversight in securing sensitive functionalities. This, combined with the static analysis finding of an unprotected AJAX handler, reinforces concerns about the plugin's authorization mechanisms. The plugin has strengths in areas like SQL and output sanitization, but the identified authorization flaws and unpatched vulnerability demand attention.

Key Concerns

Unprotected AJAX handler found
High severity taint flows with unsanitized paths
Currently unpatched CVE
History of missing authorization vulnerabilities

Vulnerabilities

3

Media Hygiene: Remove or Delete Unused Images and More! Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3

3 total CVEs

CVE-2025-49979medium · 4.3Missing Authorization

Media Hygiene <= 4.0.2 - Missing Authorization

Jun 19, 2025 Patched in 4.0.3 (286d)

CVE-2025-47469medium · 5.4Missing Authorization

Media Hygiene <= 4.0.0 - Missing Authorization

May 7, 2025 Patched in 4.0.1 (6d)

CVE-2024-5855medium · 4.3Missing Authorization

Media Hygiene <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion

Jul 8, 2024 Patched in 3.0.2 (1d)

Code Analysis

Analyzed Mar 16, 2026

Media Hygiene: Remove or Delete Unused Images and More! Code Analysis

Dangerous Functions

0

Raw SQL Queries

29

85 prepared

Unescaped Output

41

386 escaped

Nonce Checks

28

Capability Checks

28

File Operations

4

External Requests

2

Bundled Libraries

0

SQL Query Safety

75% prepared114 total queries

Output Escaping

90% escaped427 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

14 flows3 with unsanitized paths

fn_wmh_search_box_html (templates\admin\wmh-media-hygiene-view.php:482)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Media Hygiene: Remove or Delete Unused Images and More! Attack Surface

Entry Points28

Unprotected1

AJAX Handlers 28

authwp_ajax_fetch_statistics_dataincludes\wmh-dashboard.php:35

authwp_ajax_wmh_aap_actionincludes\wmh-dashboard.php:38

authwp_ajax_wmh_aap_close_notice_permanently_actionincludes\wmh-dashboard.php:41

authwp_ajax_database_update_wmh_by_versionincludes\wmh-dashboard.php:44

authwp_ajax_get_deleted_media_listincludes\wmh-deleted-media.php:27

authwp_ajax_deleted_media_list_actionincludes\wmh-deleted-media.php:29

authwp_ajax_clear_error_log_actionincludes\wmh-error-log.php:18

authwp_ajax_wmh_customer_feedbackincludes\wmh-plugin-feedback.php:11

authwp_ajax_scan_unused_imagesincludes\wmh-scan.php:37

authwp_ajax_fetch_data_from_databaseincludes\wmh-scan.php:39

authwp_ajax_scanning_dataincludes\wmh-scan.php:41

authwp_ajax_row_action_trashincludes\wmh-scan.php:44

authwp_ajax_whitelist_single_image_callincludes\wmh-scan.php:50

authwp_ajax_blacklist_single_image_callincludes\wmh-scan.php:52

authwp_ajax_filter_data_ajax_callincludes\wmh-scan.php:54

authwp_ajax_bulk_action_trashincludes\wmh-scan.php:56

authwp_ajax_bulk_action_to_whitelistincludes\wmh-scan.php:58

authwp_ajax_bulk_action_to_blacklistincludes\wmh-scan.php:60

authwp_ajax_trash_page_mediaincludes\wmh-scan.php:66

authwp_ajax_bulk_action_trash_to_restoreincludes\wmh-scan.php:69

authwp_ajax_restore_single_image_callincludes\wmh-scan.php:71

authwp_ajax_wmh_bulk_restoreincludes\wmh-scan.php:73

authwp_ajax_delete_permanently_single_image_callincludes\wmh-scan.php:75

authwp_ajax_bulk_action_deleteincludes\wmh-scan.php:77

authwp_ajax_wmh_delete_permanentlyincludes\wmh-scan.php:79

authwp_ajax_fetch_data_from_elementorincludes\wmh-scan.php:81

authwp_ajax_save_scan_settings_callincludes\wmh-settings.php:16

authwp_ajax_send_data_to_server_actionincludes\wmh-settings.php:18

WordPress Hooks 12

actionadmin_post_create_page_unused_media_zip_actionincludes\wmh-download-unused-media.php:21

actionadmin_menuincludes\wmh-general.php:29

actioninitincludes\wmh-my-cron-job.php:36

filtercron_schedulesincludes\wmh-my-cron-job.php:37

actionfn_mh_daily_cron_jobincludes\wmh-my-cron-job.php:63

actionfn_mh_weekly_cron_jobincludes\wmh-my-cron-job.php:76

actionfn_mh_biweekly_cron_jobincludes\wmh-my-cron-job.php:89

actionfn_mh_monthly_cron_jobincludes\wmh-my-cron-job.php:102

actionfn_mh_quarterly_cron_jobincludes\wmh-my-cron-job.php:115

actioninitmedia-hygiene.php:31

actionadmin_footermedia-hygiene.php:33

actionadmin_enqueue_scriptsmedia-hygiene.php:35

Scheduled Events 5

fn_mh_daily_cron_job

fn_mh_weekly_cron_job

fn_mh_biweekly_cron_job

fn_mh_monthly_cron_job

fn_mh_quarterly_cron_job

Maintenance & Trust

Media Hygiene: Remove or Delete Unused Images and More! Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMay 1, 2025

PHP min version7.4

Downloads43K

Community Trust

Rating80/100

Number of ratings30

Active installs5K

Alternatives

Media Hygiene: Remove or Delete Unused Images and More! Alternatives

Remove Broken Images

remove-broken-images

A

92

Very simply, uses JavaScript to remove broken images from page display.

1K No CVEs

Delete product images for WooCommerce

wc-delete-product-images

A

92

Removes product assigned images (featured and gallery only) on product delete.

1K No CVEs

Clean WP Dashboard

clean-wp-dashboard

A

85

Easily remove any/all of the default WordPress dashboard widgets

200 No CVEs

Smart Bulk Delete & Content Cleaner for WordPress

smart-bulk-content-remover

A

100

Safely bulk delete posts, pages, media, and comments with flexible filters and a clean interface.

60 No CVEs

Auto Generated Images Remover

auto-generated-images-remover

A

100

Short Description: Scan and remove auto-generated WordPress image thumbnails safely.

40 No CVEs

Developer Profile

Media Hygiene: Remove or Delete Unused Images and More! Developer Profile

Jay Versluis

6 plugins · 15K total installs

73

trust score

Avg Security Score

92/100

Avg Patch Time

98 days

View full developer profile

Detection Fingerprints

How We Detect Media Hygiene: Remove or Delete Unused Images and More!

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/media-hygiene/assets/css/wmh-custom-feedback.css/wp-content/plugins/media-hygiene/assets/js/wmh-custom-feedback.js

Script Paths

/wp-content/plugins/media-hygiene/assets/js/wmh-custom-feedback.js

Version Parameters

media-hygiene/assets/css/wmh-custom-feedback.css?ver=media-hygiene/assets/js/wmh-custom-feedback.js?ver=

HTML / DOM Fingerprints

CSS Classes

wmh-modal

HTML Comments

Data Attributes

data-plugin-name="Media Hygiene"data-plugin-version="4.0.1"

JS Globals

wmhFeedbackObj

FAQ

Media Hygiene: Remove or Delete Unused Images and More! Security & Risk Analysis