Does Phoenix Media Rename have any unpatched vulnerabilities?

No. All known vulnerabilities in Phoenix Media Rename have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Phoenix Media Rename compatible with WordPress 6.8.5?

According to WordPress.org data, Phoenix Media Rename 3.13.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Phoenix Media Rename compatible with PHP 8.0+?

Phoenix Media Rename requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Phoenix Media Rename updated?

Phoenix Media Rename was last updated on Sep 25, 2025. Frequent updates are generally a positive security signal.

What is Phoenix Media Rename's security score?

Phoenix Media Rename has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Phoenix Media Rename Security & Risk Analysis

wordpress.org/plugins/phoenix-media-rename

The Phoenix Media Rename plugin allows you to easily rename (and retitle) your media files, once uploaded.

50K active installs v3.13.1 PHP 8.0+ WP 5.0+ Updated Sep 25, 2025

fileimagemediarenameretitle

A · Safe

CVEs total1

Unpatched0

Last CVEOct 6, 2021

Plugin page Download

Safety Verdict

Is Phoenix Media Rename Safe to Use in 2026?

Generally Safe

Score 100/100

Phoenix Media Rename has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Oct 6, 2021Updated 6mo ago

Risk Assessment

The phoenix-media-rename plugin v3.13.1 exhibits a mixed security posture with several concerning findings. While it demonstrates some good practices such as a low number of entry points and the use of prepared statements for the majority of SQL queries, the presence of a single unprotected AJAX handler presents a significant risk. This unprotected entry point, combined with the use of the `unserialize` function and a flow with an unsanitized path, creates a potential avenue for attackers to execute arbitrary code or manipulate plugin functionality without proper authentication.

The plugin's vulnerability history shows one known medium-severity CVE related to improper access control. While currently patched, this history suggests a pattern of potential weaknesses in how access is managed. The overall low percentage of properly escaped output is also a concern, as it could lead to cross-site scripting (XSS) vulnerabilities.

In conclusion, while the plugin has strengths in its limited attack surface and SQL query practices, the unprotected AJAX handler, the use of `unserialize`, and the historical access control issues warrant caution. Further investigation into the specific implementation of the AJAX handler and the use of `unserialize` is recommended to fully assess the risk.

Key Concerns

Unprotected AJAX handler
Use of dangerous function: unserialize
Flow with unsanitized path
Low percentage of properly escaped output
One known medium CVE (improper access control)

Vulnerabilities

Phoenix Media Rename Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2021-24816medium · 4.3Improper Access Control

Phoenix Media Rename <= 3.4.2 - Author Arbitrary Media File Renaming

Oct 6, 2021 Patched in 3.4.4 (839d)

Code Analysis

Analyzed Mar 16, 2026

Phoenix Media Rename Code Analysis

Dangerous Functions

Raw SQL Queries

16 prepared

Unescaped Output

7 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$var = @unserialize($var);classes\class-lib.php:332

SQL Query Safety

80% prepared20 total queries

Output Escaping

18% escaped38 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

ajax_pnx_rename (classes\class-media-rename.php:300)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Phoenix Media Rename Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_phoenix_media_renamephoenix-media-rename.php:49

WordPress Hooks 17

filteras3cf_get_attached_file_copy_back_to_localclasses\class-media-rename.php:651

actionatai_alttext_generatedclasses\class-plugins.php:28

actionadmin_menuclasses\class-pmr-settings.php:19

actionadmin_initclasses\class-pmr-settings.php:20

actionplugins_loadedphoenix-media-rename.php:33

filtermanage_media_columnsphoenix-media-rename.php:42

filterattachment_fields_to_editphoenix-media-rename.php:43

filtersanitize_file_name_charsphoenix-media-rename.php:44

actionload-upload.phpphoenix-media-rename.php:46

actionadmin_noticesphoenix-media-rename.php:47

actionmanage_media_custom_columnphoenix-media-rename.php:48

actionadmin_enqueue_scriptsphoenix-media-rename.php:50

actionadmin_enqueue_scriptsphoenix-media-rename.php:51

actionadmin_enqueue_scriptsphoenix-media-rename.php:52

actionadmin_footerphoenix-media-rename.php:53

actionplugins_loadedphoenix-media-rename.php:57

actionin_plugin_update_message-phoenix-media-rename/phoenix-media-rename.phpphoenix-media-rename.php:79

Maintenance & Trust

Phoenix Media Rename Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 25, 2025

PHP min version8.0

Downloads1.5M

Community Trust

Rating94/100

Number of ratings75

Active installs50K

Alternatives

Phoenix Media Rename Alternatives

File Media Renamer for SEO

file-media-renamer-for-seo

100

Rename media files with SEO-friendly names, auto-update references, alt/title sync, and 301 redirects — fast and safe.

80 No CVEs

Replace & Rename Media Files

replace-rename-media

100

Replace existing media files, rename media files, and display file sizes in the WordPress media library.

40 No CVEs

Media Cleaner: Clean your WordPress!

media-cleaner

Clean your WordPress! Eliminate unused and broken media files. For a faster, and better website.

90K 1 CVE

Media File Renamer: Rename for better SEO (AI-Powered)

media-file-renamer

Rename filenames and media metadata for SEO and tidiness. Using AI, manually, in bulk, or in so many other ways!

40K 5 CVEs

Clean Image Filenames

clean-image-filenames

100

This plugin automatically converts language accent characters to non-accent characters in filenames when uploading to the media library.

30K No CVEs

Developer Profile

Phoenix Media Rename Developer Profile

crossi72

1 plugin · 50K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

839 days

View full developer profile

Detection Fingerprints

How We Detect Phoenix Media Rename

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/phoenix-media-rename/css/phoenix-media-rename.css/wp-content/plugins/phoenix-media-rename/js/phoenix-media-rename.js/wp-content/plugins/phoenix-media-rename/js/phoenix-media-rename-options.js/wp-content/plugins/phoenix-media-rename/js/phoenix-media-rename-edit.js

Script Paths

/wp-content/plugins/phoenix-media-rename/js/phoenix-media-rename.js/wp-content/plugins/phoenix-media-rename/js/phoenix-media-rename-options.js/wp-content/plugins/phoenix-media-rename/js/phoenix-media-rename-edit.js

Version Parameters

phoenix-media-rename/css/phoenix-media-rename.css?ver=phoenix-media-rename/js/phoenix-media-rename.js?ver=phoenix-media-rename/js/phoenix-media-rename-options.js?ver=phoenix-media-rename/js/phoenix-media-rename-edit.js?ver=

HTML / DOM Fingerprints

CSS Classes

phoenix-media-rename-column

Data Attributes

data-titledata-fielddata-actiondata-type

JS Globals

phoenix_media_rename_params

FAQ