WP-Safety

Media Library Folders Security & Risk Analysis

wordpress.org/plugins/media-library-plus

Easier file and folder management for WordPress Media Library for Galleries and Albums

10K active installs v8.3.7 PHP + WP 4.0+ Updated Feb 12, 2026
media-library-foldersorganize-media-library
86
A · Safe
CVEs total8
Unpatched0
Last CVEFeb 13, 2026
Plugin page Download
Safety Verdict

Is Media Library Folders Safe to Use in 2026?

Generally Safe

Score 86/100

Media Library Folders has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Feb 13, 2026Updated 1mo ago
Risk Assessment

The "media-library-plus" v8.3.7 plugin exhibits a mixed security posture. While it demonstrates good practices in its handling of SQL queries, with 97% using prepared statements, and a significant number of nonce and capability checks, several areas raise concerns. The presence of two AJAX handlers without authentication checks represents a direct attack surface that could be exploited by unauthenticated users. The taint analysis, while not revealing critical or high-severity issues in this specific scan, showed 14 flows with unsanitized paths, suggesting a potential for path-related vulnerabilities if not carefully managed.

The plugin's vulnerability history is a significant red flag. With a total of 8 known CVEs, including one critical and one high-severity, and a recent vulnerability recorded in 2026, it indicates a pattern of security weaknesses. The common vulnerability types such as Missing Authorization, Cross-site Scripting, Path Traversal, SQL Injection, and CSRF further highlight recurring issues that attackers may target. The fact that there are currently no unpatched vulnerabilities is positive, but the historical trend suggests a need for vigilant monitoring and prompt updates.

In conclusion, while the plugin has strengths in its SQL handling and general security checks, the unauthenticated AJAX endpoints, unsanitized path flows, and a concerning history of diverse and severe vulnerabilities present notable risks. The plugin's overall security would be significantly improved by addressing the unauthenticated entry points and ensuring thorough sanitization of all path-related operations. Users should be cautious and ensure they are running the latest available version, which ideally would have addressed past vulnerabilities.

Key Concerns

  • AJAX handlers without authentication checks
  • Flows with unsanitized paths
  • History of critical CVEs
  • History of high CVEs
  • Use of unserialize function
  • Output escaping below 100%
Vulnerabilities
8

Media Library Folders Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
5 CVEs in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
6

8 total CVEs

CVE-2026-2312medium · 4.3Missing Authorization

Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename

Feb 13, 2026 Patched in 8.3.7 (1d)
CVE-2025-0935medium · 4.3Missing Authorization

Media Library Folders <= 8.3.0 - Missing Authorization to Plugin Settings Change

Feb 14, 2025 Patched in 8.3.1 (1d)
CVE-2024-7858medium · 6.3Missing Authorization

Media Library Folders <= 8.2.3 - Missing Authorization on Various Functions

Aug 29, 2024 Patched in 8.2.4 (1d)
CVE-2024-7857medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Media Library Folders <= 8.2.2 - Authenticated (Subscriber+) Second-Order SQL Injection

Aug 28, 2024 Patched in 8.2.3 (157d)
CVE-2024-3615medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Media Library Folders <= 8.2.0 - Reflected Cross-Site Scripting via 's'

Apr 18, 2024 Patched in 8.2.1 (1d)
CVE-2024-31287medium · 4.3Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Media Library Folders <= 8.1.8 - Authenticated (Author+) Directory Traversal

Apr 5, 2024 Patched in 8.1.9 (7d)
CVE-2024-30486critical · 9.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Media Library Folders <= 8.1.7 - Authenticated (Author+) SQL Injection

Mar 28, 2024 Patched in 8.1.8 (7d)
CVE-2022-41634high · 8.8Cross-Site Request Forgery (CSRF)

Media Library Folders <= 7.1.1 - Cross-Site Request Forgery

Sep 30, 2022 Patched in 7.1.2 (480d)
Code Analysis
Analyzed Mar 16, 2026

Media Library Folders Code Analysis

Dangerous Functions
2
Raw SQL Queries
3
109 prepared
Unescaped Output
128
428 escaped
Nonce Checks
43
Capability Checks
57
File Operations
36
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = @unserialize($row->meta_value);media-library-plus.php:6781
unserialize$data = unserialize($record->meta_value);media-library-plus.php:6957

Bundled Libraries

Select2

SQL Query Safety

97% prepared112 total queries

Output Escaping

77% escaped556 total outputs
Data Flows
14 unsanitized

Data Flow Analysis

25 flows14 with unsanitized paths
mlfp_load_image (media-library-plus.php:443)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Media Library Folders Attack Surface

Entry Points73
Unprotected2

AJAX Handlers 73

noprivwp_ajax_create_new_foldermedia-library-plus.php:205
authwp_ajax_create_new_foldermedia-library-plus.php:206
authwp_ajax_delete_maxgalleria_mediamedia-library-plus.php:208
noprivwp_ajax_upload_attachmentmedia-library-plus.php:210
authwp_ajax_upload_attachmentmedia-library-plus.php:211
noprivwp_ajax_add_to_max_gallerymedia-library-plus.php:220
authwp_ajax_add_to_max_gallerymedia-library-plus.php:221
authwp_ajax_maxgalleria_rename_imagemedia-library-plus.php:223
noprivwp_ajax_sort_contentsmedia-library-plus.php:225
authwp_ajax_sort_contentsmedia-library-plus.php:226
noprivwp_ajax_mgmlp_move_copymedia-library-plus.php:228
authwp_ajax_mgmlp_move_copymedia-library-plus.php:229
noprivwp_ajax_mlf_check_for_new_foldersmedia-library-plus.php:233
authwp_ajax_mlf_check_for_new_foldersmedia-library-plus.php:234
noprivwp_ajax_mlfp_display_bda_infomedia-library-plus.php:236
authwp_ajax_mlfp_display_bda_infomedia-library-plus.php:237
noprivwp_ajax_mlp_load_foldermedia-library-plus.php:248
authwp_ajax_mlp_load_foldermedia-library-plus.php:249
noprivwp_ajax_mlp_display_folder_contents_ajaxmedia-library-plus.php:252
authwp_ajax_mlp_display_folder_contents_ajaxmedia-library-plus.php:253
noprivwp_ajax_mlp_display_folder_contents_images_ajaxmedia-library-plus.php:255
authwp_ajax_mlp_display_folder_contents_images_ajaxmedia-library-plus.php:256
noprivwp_ajax_mlpp_hide_template_admedia-library-plus.php:258
authwp_ajax_mlpp_hide_template_admedia-library-plus.php:259
noprivwp_ajax_mlpp_create_new_ng_gallerymedia-library-plus.php:261
authwp_ajax_mlpp_create_new_ng_gallerymedia-library-plus.php:262
noprivwp_ajax_display_folder_nav_ajaxmedia-library-plus.php:264
authwp_ajax_mgmlp_display_folder_nav_ajaxmedia-library-plus.php:265
noprivwp_ajax_mlp_get_folder_datamedia-library-plus.php:267
authwp_ajax_mlp_get_folder_datamedia-library-plus.php:268
noprivwp_ajax_regen_mlp_thumbnailsmedia-library-plus.php:270
authwp_ajax_regen_mlp_thumbnailsmedia-library-plus.php:271
authwp_ajax_regeneratethumbnailmedia-library-plus.php:273
noprivwp_ajax_mlp_image_seo_changemedia-library-plus.php:276
authwp_ajax_mlp_image_seo_changemedia-library-plus.php:277
noprivwp_ajax_hide_maxgalleria_mediamedia-library-plus.php:279
authwp_ajax_hide_maxgalleria_mediamedia-library-plus.php:280
noprivwp_ajax_mlf_hide_infomedia-library-plus.php:285
authwp_ajax_mlf_hide_infomedia-library-plus.php:286
noprivwp_ajax_mlfp_set_scalingmedia-library-plus.php:288
authwp_ajax_mlfp_set_scalingmedia-library-plus.php:289
noprivwp_ajax_mlfp_run_sync_processmedia-library-plus.php:291
authwp_ajax_mlfp_run_sync_processmedia-library-plus.php:292
noprivwp_ajax_mlfp_process_mc_datamedia-library-plus.php:294
authwp_ajax_mlfp_process_mc_datamedia-library-plus.php:295
noprivwp_ajax_mlf_change_sort_typemedia-library-plus.php:297
authwp_ajax_mlf_change_sort_typemedia-library-plus.php:298
noprivwp_ajax_mlfp_process_bdpmedia-library-plus.php:300
authwp_ajax_mlfp_process_bdpmedia-library-plus.php:301
noprivwp_ajax_mlfp_save_noaccess_pagemedia-library-plus.php:303
authwp_ajax_mlfp_save_noaccess_pagemedia-library-plus.php:304
noprivwp_ajax_mlfp_bdp_reportmedia-library-plus.php:306
authwp_ajax_mlfp_bdp_reportmedia-library-plus.php:307
noprivwp_ajax_mlfp_block_new_ipmedia-library-plus.php:309
authwp_ajax_mlfp_block_new_ipmedia-library-plus.php:310
noprivwp_ajax_mlfp_unblock_ipsmedia-library-plus.php:312
authwp_ajax_mlfp_unblock_ipsmedia-library-plus.php:313
noprivwp_ajax_mlfp_get_block_ipsmedia-library-plus.php:315
authwp_ajax_mlfp_get_block_ipsmedia-library-plus.php:316
noprivwp_ajax_mlfp_load_imagemedia-library-plus.php:318
authwp_ajax_mlfp_load_imagemedia-library-plus.php:319
noprivwp_ajax_mlfp_load_fe_imagemedia-library-plus.php:321
authwp_ajax_mlfp_load_fe_imagemedia-library-plus.php:322
noprivwp_ajax_mlfp_toggle_file_accessmedia-library-plus.php:324
authwp_ajax_mlfp_toggle_file_accessmedia-library-plus.php:325
noprivwp_ajax_mlfp_update_bda_recordmedia-library-plus.php:327
authwp_ajax_mlfp_update_bda_recordmedia-library-plus.php:328
noprivwp_ajax_mflp_enable_auto_protectmedia-library-plus.php:330
authwp_ajax_mflp_enable_auto_protectmedia-library-plus.php:331
noprivwp_ajax_clean_databasemlp-reset.php:49
authwp_ajax_clean_databasemlp-reset.php:50
noprivwp_ajax_mlfr_remove_tablesmlp-reset.php:52
authwp_ajax_mlfr_remove_tablesmlp-reset.php:53
WordPress Hooks 31
actioninitmedia-library-plus.php:190
actioninitmedia-library-plus.php:191
actioninitmedia-library-plus.php:192
actionadmin_initmedia-library-plus.php:194
actionadmin_print_stylesmedia-library-plus.php:196
actionadmin_print_scriptsmedia-library-plus.php:197
actionadmin_menumedia-library-plus.php:198
filterbig_image_size_thresholdmedia-library-plus.php:202
actionnew_folder_checkmedia-library-plus.php:231
filterwp_generate_attachment_metadatamedia-library-plus.php:241
actiondelete_attachmentmedia-library-plus.php:243
filterbody_classmedia-library-plus.php:282
filteradmin_body_classmedia-library-plus.php:283
actionwp_enqueue_mediamedia-library-plus.php:333
filterwp_prepare_attachment_for_jsmedia-library-plus.php:334
actionadmin_enqueue_scriptsmedia-library-plus.php:335
actionwp_enqueue_scriptsmedia-library-plus.php:341
actionwp_footermedia-library-plus.php:342
actionadmin_enqueue_scriptsmedia-library-plus.php:343
filtermod_rewrite_rulesmedia-library-plus.php:614
filterwp_generate_attachment_metadatamedia-library-plus.php:1258
actionadmin_noticesmedia-library-plus.php:1595
actionadmin_noticesmedia-library-plus.php:1597
actionadmin_noticesmedia-library-plus.php:1603
filterwp_kses_allowed_htmlmedia-library-plus.php:1713
filtermod_rewrite_rulesmedia-library-plus.php:7057
filterwp_generate_attachment_metadatamedia-library-plus.php:7449
actioninitmlp-reset.php:56
actionadmin_menumlp-reset.php:70
actionplugins_loadedmlp-reset.php:76
actionadmin_print_stylesmlp-reset.php:83

Scheduled Events 1

new_folder_check
Maintenance & Trust

Media Library Folders Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 12, 2026
PHP min version
Downloads2.2M

Community Trust

Rating86/100
Number of ratings462
Active installs10K
Alternatives

Media Library Folders Alternatives

Media Library Organizer – WordPress Media Library Folders & File Manager

Media Library Organizer – WordPress Media Library Folders & File Manager

media-library-organizer

A
100

Create unlimited Media Library folders and subfolders to organize your files. Export Media Library folders, set default attributes & more.

10K No CVEs
FileBird – WordPress Media Library Folders & File Manager

FileBird – WordPress Media Library Folders & File Manager

filebird

A
89

Organize thousands of WordPress media files in folders / categories with ease.

200K 10 CVEs
Real Media Library: Media Library Folder & File Manager

Real Media Library: Media Library Folder & File Manager

real-media-library-lite

A
97

Organize uploaded media in folders, collections and galleries: A file manager for WordPress. Media management made easy with Real Media Library! (Alte &hellip;

100K 4 CVEs
Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types

Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types

wicked-folders

A
92

Organize your pages, posts, and custom post types into folders. Upgrade to pro for media library folders, WooCommerce integration, and more.

20K 22 CVEs
Categorify – WordPress Media Library Category & File Manager

Categorify – WordPress Media Library Category & File Manager

categorify

C
59

Organize your WordPress media files in categories via drag and drop.

1K 1 unpatched
Developer Profile

Media Library Folders Developer Profile

maxfoundry

5 plugins · 113K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
423 days
View full developer profile
Detection Fingerprints

How We Detect Media Library Folders

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/media-library-plus/css/media-library-plus.css/wp-content/plugins/media-library-plus/css/MGMediaLibraryFolders.css/wp-content/plugins/media-library-plus/js/MGMediaLibraryFolders.js/wp-content/plugins/media-library-plus/js/MediaLibraryFolders.js/wp-content/plugins/media-library-plus/js/MediaLibraryFoldersAdmin.js/wp-content/plugins/media-library-plus/js/MediaLibraryFoldersView.js/wp-content/plugins/media-library-plus/js/MediaLibraryFoldersFrontend.js
Version Parameters
media-library-plus/css/media-library-plus.css?ver=media-library-plus/css/MGMediaLibraryFolders.css?ver=media-library-plus/js/MGMediaLibraryFolders.js?ver=media-library-plus/js/MediaLibraryFolders.js?ver=media-library-plus/js/MediaLibraryFoldersAdmin.js?ver=media-library-plus/js/MediaLibraryFoldersView.js?ver=media-library-plus/js/MediaLibraryFoldersFrontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
mgmlp-folder-itemmgmlp-folders-wrapmgmlp-folders-containermgmlp-folder-headermgmlp-folder-contentsmgmlp-folder-breadcrumbsmgmlp-folder-breadcrumb-itemmgmlp-move-folder-modal+11 more
HTML Comments
<!-- Media Library Folders --><!-- Start: Media Library Folders --><!-- End: Media Library Folders --><!-- MAXGALLERIA_MEDIA_LIBRARY_PLUGIN_NAME -->+44 more
Data Attributes
data-folder-iddata-folder-namedata-parent-iddata-is-rootdata-current-folder-iddata-item-id+5 more
JS Globals
MGMediaLibraryFoldersMediaLibraryFoldersAdminMediaLibraryFoldersViewMediaLibraryFoldersFrontendmediaLibraryFoldersGlobalsMediaLibraryFoldersConfig
REST Endpoints
/wp-json/mgmlp/v1/folders/wp-json/mgmlp/v1/folder/wp-json/mgmlp/v1/move-folder/wp-json/mgmlp/v1/upload/wp-json/mgmlp/v1/media/wp-json/mgmlp/v1/media-folder
FAQ

Frequently Asked Questions about Media Library Folders