WP-Safety

Media Library Tools – Rename, Clean & CSV Import/Export Security & Risk Analysis

wordpress.org/plugins/media-library-tools

Media Rename, CSV export import, find unused media, search rubbish files, support SVG, bulk edit titles, ALT tags, captions & descriptions

1K active installs v2.1.0 PHP 7.4+ WP 5.5+ Updated Mar 3, 2026
cleanercsvexportmediarename
98
A · Safe
CVEs total2
Unpatched0
Last CVEDec 11, 2025
Plugin page Download
Safety Verdict

Is Media Library Tools – Rename, Clean & CSV Import/Export Safe to Use in 2026?

Generally Safe

Score 98/100

Media Library Tools – Rename, Clean & CSV Import/Export has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 11, 2025Updated 1mo ago
Risk Assessment

The "media-library-tools" v2.1.0 plugin presents a mixed security posture. While it demonstrates strong practices in its use of prepared statements for SQL queries and excellent output escaping, significant concerns arise from its attack surface. A large number of AJAX handlers (17 out of 19) lack authentication checks, creating potential entry points for unauthorized actions. The absence of critical or high severity taint flows is a positive sign, suggesting that current data processing might be more secure. However, the vulnerability history, with two known medium severity CVEs related to SQL Injection and Cross-site Scripting, indicates past weaknesses that users should be aware of. Although these are currently patched, the pattern suggests a need for continued vigilance and robust security practices within the plugin's development.

Overall, the plugin has strengths in its internal code sanitization and data handling. However, the exposed AJAX endpoints without proper authentication are a critical concern that could be exploited. The historical vulnerabilities, even if medium severity, highlight that past issues have been present and that the plugin is not immune to common web vulnerabilities. The developers should prioritize addressing the unauthenticated AJAX handlers to significantly improve the plugin's security profile. Future development should focus on maintaining the current code quality while ensuring all entry points are adequately protected.

Key Concerns

  • Unprotected AJAX handlers
  • Medium severity CVEs in history
  • Limited nonce checks
  • Limited capability checks
Vulnerabilities
2

Media Library Tools – Rename, Clean & CSV Import/Export Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-67520medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Media Library Tools <= 1.6.15 - Authenticated (Author+) SQL Injection

Dec 11, 2025 Patched in 1.7.0 (9d)
CVE-2024-10482medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Media Library Tools <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting

Oct 31, 2024 Patched in 1.5.0 (5d)
Code Analysis
Analyzed Mar 16, 2026

Media Library Tools – Rename, Clean & CSV Import/Export Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
6 prepared
Unescaped Output
1
195 escaped
Nonce Checks
4
Capability Checks
2
File Operations
3
External Requests
2
Bundled Libraries
0

SQL Query Safety

100% prepared6 total queries

Output Escaping

99% escaped196 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
<ActionHooks> (app\Controllers\Hooks\ActionHooks.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
17 unprotected

Media Library Tools – Rename, Clean & CSV Import/Export Attack Surface

Entry Points20
Unprotected17

AJAX Handlers 19

authwp_ajax_tsmlt_dismiss_offer_admin_noticeapp\Abs\Discount.php:126
authwp_ajax_immediately_search_rubbish_fileapp\Controllers\Hooks\Ajax.php:35
authwp_ajax_tsmlt_get_mediaapp\Controllers\Hooks\Ajax.php:38
authwp_ajax_tsmlt_media_countapp\Controllers\Hooks\Ajax.php:39
authwp_ajax_tsmlt_update_single_mediaapp\Controllers\Hooks\Ajax.php:40
authwp_ajax_tsmlt_bulk_submitapp\Controllers\Hooks\Ajax.php:41
authwp_ajax_tsmlt_get_datesapp\Controllers\Hooks\Ajax.php:44
authwp_ajax_tsmlt_get_termsapp\Controllers\Hooks\Ajax.php:45
authwp_ajax_tsmlt_get_optionsapp\Controllers\Hooks\Ajax.php:46
authwp_ajax_tsmlt_update_optionapp\Controllers\Hooks\Ajax.php:47
authwp_ajax_tsmlt_get_rubbish_filetypeapp\Controllers\Hooks\Ajax.php:50
authwp_ajax_tsmlt_get_rubbish_fileapp\Controllers\Hooks\Ajax.php:51
authwp_ajax_tsmlt_get_dir_listapp\Controllers\Hooks\Ajax.php:52
authwp_ajax_tsmlt_rescan_dirapp\Controllers\Hooks\Ajax.php:53
authwp_ajax_tsmlt_search_file_by_dirapp\Controllers\Hooks\Ajax.php:54
authwp_ajax_tsmlt_truncate_unlisted_fileapp\Controllers\Hooks\Ajax.php:55
authwp_ajax_tsmlt_clear_scheduleapp\Controllers\Hooks\Ajax.php:58
authwp_ajax_tsmlt_get_registered_image_sizesapp\Controllers\Hooks\Ajax.php:59
authwp_ajax_tsmlt_get_plugin_listapp\Controllers\Hooks\Ajax.php:60

Shortcodes 1

[tsmlt_download_button] app\Modules\DownloadMedia.php:47
WordPress Hooks 39
actionadmin_initapp\Abs\Discount.php:34
actionadmin_enqueue_scriptsapp\Abs\Discount.php:123
actionadmin_noticesapp\Abs\Discount.php:124
actionadmin_footerapp\Abs\Discount.php:125
filterposts_clausesapp\Controllers\Admin\Api.php:467
actioninitapp\Controllers\Admin\RegisterPostAndTax.php:29
actionadmin_menuapp\Controllers\Admin\SubMenu.php:39
actionadmin_enqueue_scriptsapp\Controllers\AssetsController.php:44
actionadmin_noticesapp\Controllers\Dependencies.php:36
actionmanage_media_custom_columnapp\Controllers\Hooks\ActionHooks.php:34
actionadd_attachmentapp\Controllers\Hooks\ActionHooks.php:35
actionin_admin_headerapp\Controllers\Hooks\ActionHooks.php:37
filterattachment_fields_to_editapp\Controllers\Hooks\ActionHooks.php:38
filtercron_schedulesapp\Controllers\Hooks\CronJobHooks.php:36
actioninitapp\Controllers\Hooks\CronJobHooks.php:38
actiontsmlt_upload_dir_scanapp\Controllers\Hooks\CronJobHooks.php:39
actioninitapp\Controllers\Hooks\CronJobHooks.php:41
actiontsmlt_upload_inner_file_scanapp\Controllers\Hooks\CronJobHooks.php:42
actioninitapp\Controllers\Hooks\CronJobHooks.php:44
actiontsmlt_five_times_thumbnail_eventapp\Controllers\Hooks\CronJobHooks.php:45
filtermanage_media_columnsapp\Controllers\Hooks\FilterHooks.php:31
filtermanage_upload_sortable_columnsapp\Controllers\Hooks\FilterHooks.php:32
filterposts_clausesapp\Controllers\Hooks\FilterHooks.php:33
filterrequestapp\Controllers\Hooks\FilterHooks.php:34
filtermedia_row_actionsapp\Controllers\Hooks\FilterHooks.php:35
filterdefault_hidden_columnsapp\Controllers\Hooks\FilterHooks.php:36
filterplugin_row_metaapp\Controllers\Hooks\FilterHooks.php:37
filterintermediate_image_sizes_advancedapp\Controllers\Hooks\FilterHooks.php:39
filtermime_typesapp\Controllers\Hooks\FilterHooks.php:42
filterwp_check_filetype_and_extapp\Controllers\Hooks\FilterHooks.php:43
filterwp_handle_upload_prefilterapp\Controllers\Hooks\FilterHooks.php:45
filterwp_generate_attachment_metadataapp\Controllers\Hooks\FilterHooks.php:47
actionadmin_initapp\Controllers\Notice\Review.php:34
actionadmin_initapp\Controllers\Notice\Review.php:35
actionadmin_footerapp\Controllers\Notice\Review.php:36
actionadmin_noticesapp\Controllers\Notice\Review.php:75
actioninitapp\Modules\DownloadMedia.php:35
actionwp_headapp\Modules\DownloadMedia.php:36
actionplugins_loadedapp\Tsmlt.php:50
Maintenance & Trust

Media Library Tools – Rename, Clean & CSV Import/Export Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version7.4
Downloads29K

Community Trust

Rating94/100
Number of ratings12
Active installs1K
Alternatives

Media Library Tools – Rename, Clean & CSV Import/Export Alternatives

Export Media URLs

Export Media URLs

export-media-urls

A
98

An efficient media information extraction utility with CSV export option, suitable for several use-cases including migration and SEO.

6K 2 CVEs
Export/Import Media

Export/Import Media

calliope-media-import-export

A
100

The ultimate tool to migrate your media library. Export to CSV with Advanced Filters and Import securely with Drag & Drop (images, videos, audio a &hellip;

600 No CVEs
Media CSV Export (with filters)

Media CSV Export (with filters)

media-csv-export-with-filters

A
92

Exports WordPress media files to a CSV file with filters by type, user, and date.

0 No CVEs
WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

WP All Export – Drag & Drop Export to Any Custom CSV, XML & Excel

wp-all-export

B
84

Easily export data from any post type, custom field, or taxonomy to a CSV, XML, or Excel file of any custom format. Supports WooCommerce products, ord &hellip;

100K 7 CVEs
Product Import Export for WooCommerce – Import Export Product CSV Suite

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A
94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, &hellip;

90K 7 CVEs
Developer Profile

Media Library Tools – Rename, Clean & CSV Import/Export Developer Profile

Tiny Solutions

2 plugins · 1K total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect Media Library Tools – Rename, Clean & CSV Import/Export

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/media-library-tools/app/Abs/../assets/css/styles.css/wp-content/plugins/media-library-tools/app/Abs/../assets/js/scripts.js
Script Paths
/wp-content/plugins/media-library-tools/app/Abs/../assets/js/scripts.js
Version Parameters
media-library-tools/app/Abs/../assets/css/styles.css?ver=media-library-tools/app/Abs/../assets/js/scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
tsmlt-offer-notice
Data Attributes
data-tsmltdismissable="tsmlt_offer"
JS Globals
tsmlt
FAQ

Frequently Asked Questions about Media Library Tools – Rename, Clean & CSV Import/Export