WP-Safety

Media Vault Security & Risk Analysis

wordpress.org/plugins/media-vault

Protect attachment files from direct access using powerful and flexible restrictions. Offer safe download links for any file in your uploads folder.

800 active installs v0.8.12 PHP + WP 3.5.0+ Updated Feb 18, 2014
attachmentsdownloadsmediaprotectionsecurity
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Media Vault Safe to Use in 2026?

Generally Safe

Score 85/100

Media Vault has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The "media-vault" plugin v0.8.12 exhibits a mixed security posture. On the positive side, it has a clean vulnerability history with no known CVEs, and a significant majority of its SQL queries utilize prepared statements, indicating good database interaction practices. The plugin also implements a reasonable number of nonce and capability checks, along with proper output escaping in most cases.

However, several concerns warrant attention. The presence of two AJAX handlers, with one lacking authentication checks, creates a direct attack vector. The use of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if untrusted data is passed to it. Furthermore, the taint analysis reveals that a high proportion of analyzed flows have unsanitized paths, suggesting potential vulnerabilities in how data is handled, even if no critical or high-severity issues were identified in this specific scan.

Overall, while the lack of historical vulnerabilities is encouraging, the identified code-level risks, particularly the unprotected AJAX handler and the use of `unserialize`, necessitate careful consideration. The plugin has several strengths in its handling of database queries and output escaping, but the identified entry points and potentially unsafe function usage introduce notable risks that should be addressed to improve its security.

Key Concerns

  • Unprotected AJAX handler
  • Use of unserialize function
  • Flows with unsanitized paths
Vulnerabilities
None known

Media Vault Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Media Vault Code Analysis

Dangerous Functions
2
Raw SQL Queries
3
9 prepared
Unescaped Output
26
59 escaped
Nonce Checks
7
Capability Checks
13
File Operations
4
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$meta = unserialize( $columns['meta_value'] );mv-class-update.php:149
unserialize$meta_value = unserialize( $attachment['meta_value'] );mv-file-handler.php:92

SQL Query Safety

75% prepared12 total queries

Output Escaping

69% escaped85 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths
__construct (mv-class-update.php:62)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Media Vault Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 2

authwp_ajax_mgjp_mv_get_attachment_imagemv-ajax-actions.php:42
authwp_ajax_mgjp_mv_restore_default_placeholder_imagemv-ajax-actions.php:72

Shortcodes 1

[mv_dl_links] _mediavault.php:401
WordPress Hooks 46
filterattachment_fields_to_editmv-ajax-actions.php:157
actionedit_attachmentmv-ajax-actions.php:184
actionedit_attachmentmv-ajax-actions.php:198
filterattachment_fields_to_savemv-ajax-actions.php:218
actioninitmv-extra-activation-steps.php:28
actionadmin_noticesmv-extra-activation-steps.php:58
actionnetwork_admin_noticesmv-extra-activation-steps.php:59
actionadmin_menumv-extra-activation-steps.php:84
actionnetwork_admin_menumv-extra-activation-steps.php:85
actionadmin_noticesmv-extra-deactivation-steps.php:58
actionnetwork_admin_noticesmv-extra-deactivation-steps.php:59
actionadmin_menumv-extra-deactivation-steps.php:84
actionnetwork_admin_menumv-extra-deactivation-steps.php:85
actionadmin_enqueue_scriptsmv-metaboxes.php:39
actionedit_attachmentmv-metaboxes.php:142
actionedit_attachmentmv-metaboxes.php:156
actionedit_attachmentmv-metaboxes.php:176
filtermedia_row_actionsmv-options-media-library.php:36
filtermanage_upload_columnsmv-options-media-library.php:54
actionmanage_media_custom_columnmv-options-media-library.php:96
actionadmin_head-upload.phpmv-options-media-library.php:115
actionadmin_footer-upload.phpmv-options-media-library.php:154
actionadmin_noticesmv-options-media-library.php:194
actionadmin_enqueue_scriptsmv-options-media-new.php:25
actionadmin_footer-media-new.phpmv-options-media-new.php:68
actionpost-upload-uimv-options-media-new.php:115
actionpre-plupload-upload-uimv-options-media-new.php:137
actionadmin_enqueue_scriptsmv-options-media-vault.php:307
actionplugins_loaded_mediavault.php:79
actioninit_mediavault.php:81
actionload-plugins.php_mediavault.php:83
actioninit_mediavault.php:87
actioninit_mediavault.php:88
actionwp_enqueue_media_mediavault.php:90
filtermod_rewrite_rules_mediavault.php:92
filterupload_dir_mediavault.php:94
filteruser_has_cap_mediavault.php:96
filterimage_downsize_mediavault.php:98
actionadmin_init_mediavault.php:102
actionadmin_init_mediavault.php:103
actionadmin_init_mediavault.php:104
actionload-media-new.php_mediavault.php:106
actionload-upload.php_mediavault.php:107
filteradmin_body_class_mediavault.php:109
filtermod_rewrite_rules_mediavault.php:190
filterimage_downsize_mediavault.php:537
Maintenance & Trust

Media Vault Maintenance & Trust

Maintenance Signals

WordPress version tested3.7.41
Last updatedFeb 18, 2014
PHP min version
Downloads17K

Community Trust

Rating88/100
Number of ratings27
Active installs800
Alternatives

Media Vault Alternatives

Documents Tab for WooCommerce

Documents Tab for WooCommerce

documents-tab-for-woocommerce

A
85

Allow attach various documents and media files to a product as separate tab.

100 No CVEs
Role Based Access Manager: Media Protector

Role Based Access Manager: Media Protector

rbam-media

A
85

Role Based Access Management for Media files (attachments).

10 No CVEs
WP Attachment Download

WP Attachment Download

wp-attachment-download

A
100

Plugin adds functionality to download posts attachments build with ACF file fields from administration.

10 No CVEs
JVM Protected Media

JVM Protected Media

jvm-protected-media

A
85

Restrict access to all your media files and implement your own custom file access rules.

0 No CVEs
Safe SVG

Safe SVG

safe-svg

A
94

Enable SVG uploads and sanitize them to stop XML/SVG vulnerabilities in your WordPress website.

1.0M 6 CVEs
Developer Profile

Media Vault Developer Profile

Max GJ Panas

1 plugin · 800 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Media Vault

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/media-vault/mv-admin/css/mv-admin.css/wp-content/plugins/media-vault/mv-admin/js/mv-admin.js/wp-content/plugins/media-vault/mv-public/css/mv-public.css
Script Paths
/wp-content/plugins/media-vault/mv-admin/js/mv-admin.js
Version Parameters
media-vault/mv-admin/css/mv-admin.css?ver=media-vault/mv-admin/js/mv-admin.js?ver=media-vault/mv-public/css/mv-public.css?ver=

HTML / DOM Fingerprints

CSS Classes
mv-options-wrap
Data Attributes
data-mv-item-id
JS Globals
mediaVaultAdmin
FAQ

Frequently Asked Questions about Media Vault