MediaView Security & Risk Analysis

wordpress.org/plugins/mediaview

Display galleries / slideshows of photos / videos in any post or page within your site.

10 active installs v1.1.3 PHP + WP 4.4.0+ Updated May 19, 2025
galleryslideshowvideovimeoyoutube
91
A · Safe
CVEs total2
Unpatched0
Last CVEApr 2, 2025
Safety Verdict

Is MediaView Safe to Use in 2026?

Generally Safe

Score 91/100

MediaView has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Apr 2, 2025Updated 1yr ago
Risk Assessment

The mediaview plugin, version 1.1.3, presents a moderate security risk. While it demonstrates some good practices like a high percentage of prepared statements for SQL queries and a decent number of nonce checks, several significant concerns are present. The attack surface includes three unprotected AJAX handlers, which are direct entry points for malicious actors. Taint analysis revealed flows with unsanitized paths, including one of high severity, indicating potential for data manipulation or execution vulnerabilities. The plugin's history of two medium severity Cross-Site Scripting (XSS) vulnerabilities, despite being patched, suggests a recurring pattern of input sanitization issues. The fact that there are no currently unpatched CVEs is positive, but the presence of unprotected AJAX handlers and high-severity taint flows alongside historical XSS issues elevates the overall risk profile.

Key Concerns

  • Unprotected AJAX handlers (3)
  • High severity unsanitized path taint flow (1)
  • Improper output escaping (48% not escaped)
  • No capability checks on entry points
  • Dangerous function 'unserialize' used (5)
  • Medium severity CVEs in history (2)
Vulnerabilities
2 published

MediaView Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-31898medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MediaView <= 1.1.2 - Reflected Cross-Site Scripting

Apr 2, 2025 Patched in 1.1.3 (50d)
CVE-2025-2481medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MediaView <= 1.1.2 - Reflected Cross-Site Scripting via id Parameter

Mar 26, 2025 Patched in 1.1.3 (224d)
Version History

MediaView Release Timeline

Code Analysis
Analyzed Mar 17, 2026

MediaView Code Analysis

Dangerous Functions
5
Raw SQL Queries
6
21 prepared
Unescaped Output
48
45 escaped
Nonce Checks
7
Capability Checks
0
File Operations
3
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserializedData = unserialize($item->MEDIA_VALUE);src\Service\Factory\MediaFactory.php:102
unserialize$unserializedMedia = unserialize($media->MEDIA_VALUE);src\Service\Processor\FormProcessor.php:167
unserialize$intdata = unserialize($media->MEDIA_VALUE);src\View\EditMediaView.php:9
unserialize$data = unserialize($val['MEDIA_VALUE']);src\View\MediaItemListTableView.php:141
unserialize$data = unserialize($item->MEDIA_VALUE);src\View\ShortcodeView.php:40

SQL Query Safety

78% prepared27 total queries

Output Escaping

48% escaped93 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
search_box (src\View\WPListTableBaseView.php:349)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

MediaView Attack Surface

Entry Points4
Unprotected3

AJAX Handlers 3

authwp_ajax_mv_orderupdatesrc\Controller\View\DashboardController.php:35
authwp_ajax_mv_deleteitemsrc\Controller\View\DashboardController.php:36
authwp_ajax_mv_deleteshortcodesrc\Controller\View\DashboardController.php:37

Shortcodes 1

[mediaview] src\Controller\View\AppController.php:20
WordPress Hooks 11
actionadmin_noticesmediaview.php:131
actionadmin_noticesmediaview.php:132
actionwp_enqueue_scriptssrc\Controller\View\AppController.php:23
actionwp_enqueue_scriptssrc\Controller\View\AppController.php:24
actionadmin_initsrc\Controller\View\DashboardController.php:27
actionadmin_menusrc\Controller\View\DashboardController.php:28
actionadmin_enqueue_scriptssrc\Controller\View\DashboardController.php:31
actionadmin_enqueue_scriptssrc\Controller\View\DashboardController.php:32
actionadmin_noticessrc\Service\Maintenance.php:84
filterlist_table_primary_columnsrc\View\ShortcodeListTableView.php:20
actionadmin_footersrc\View\WPListTableBaseView.php:160
Maintenance & Trust

MediaView Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMay 19, 2025
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

MediaView Developer Profile

dustinscarberry

3 plugins · 310 total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
215 days
View full developer profile
Detection Fingerprints

How We Detect MediaView

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mediaview/public/build/app.min.css/wp-content/plugins/mediaview/public/build/app.min.js/wp-content/plugins/mediaview/public/static/media-slider.min.js/wp-content/plugins/mediaview/public/build/admin.min.css/wp-content/plugins/mediaview/public/build/admin.min.js/mediaview/translations
Script Paths
../../../public/static/media-slider.min.js../../../public/build/app.min.js../../../public/build/admin.min.js
Version Parameters
mediaview/style.css?ver=mediaview/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
mv-gallery-slider
Data Attributes
data-mv-shortcode-id
JS Globals
mvJSData
Shortcode Output
[mediaview id=
FAQ

Frequently Asked Questions about MediaView