WP-Safety

Unattached Media Manager Security & Risk Analysis

wordpress.org/plugins/unattached-media-manager

Fix the WordPress Unattached media filter. Automatically attach used media files to their posts so you can safely clean up your library.

0 active installs v1.0.6 PHP 7.4+ WP 5.8+ Updated Mar 10, 2026
attachmentscleanupmedia-cleanermedia-libraryunused-media
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Unattached Media Manager Safe to Use in 2026?

Generally Safe

Score 100/100

Unattached Media Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 24d ago
Risk Assessment

The unattached-media-manager v1.0.6 plugin exhibits a generally strong security posture with a significant number of good security practices implemented. The high percentage of properly escaped outputs (99%) and the presence of nonce and capability checks for the majority of its entry points are commendable. The plugin also has a clean vulnerability history with zero known CVEs, suggesting a history of secure development or diligent patching by maintainers. The taint analysis shows no critical or high-severity flows, which is a positive sign. However, two significant concerns emerge from the static analysis. Firstly, the presence of two AJAX handlers that lack authentication checks creates a direct attack vector for unauthenticated users. Secondly, the use of the `unserialize` function, identified as a dangerous function, could lead to remote code execution vulnerabilities if user-controlled data is not strictly validated before being passed to it. While the plugin's overall security is good, these two specific areas represent tangible risks that should be addressed.

Key Concerns

  • Unprotected AJAX handlers
  • Use of unserialize function
Vulnerabilities
None known

Unattached Media Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Unattached Media Manager Code Analysis

Dangerous Functions
3
Raw SQL Queries
41
52 prepared
Unescaped Output
3
271 escaped
Nonce Checks
38
Capability Checks
42
File Operations
1
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialized = @unserialize( $value );includes\class-unmam-attachment-manager.php:328
unserialize$unserialized = @unserialize( $meta_value );includes\parsers\class-unmam-acf-parser.php:413
unserialize$unserialized = @unserialize( $meta_value );includes\parsers\class-unmam-meta-parser.php:145

SQL Query Safety

56% prepared93 total queries

Output Escaping

99% escaped274 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
save_settings (includes\admin\class-unmam-admin.php:672)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Unattached Media Manager Attack Surface

Entry Points36
Unprotected2

AJAX Handlers 36

authwp_ajax_unmam_get_statisticsincludes\admin\class-unmam-admin.php:44
authwp_ajax_unmam_export_reportincludes\admin\class-unmam-admin.php:45
authwp_ajax_unmam_attach_all_usedincludes\admin\class-unmam-admin.php:46
authwp_ajax_unmam_get_historyincludes\admin\class-unmam-admin.php:47
authwp_ajax_unmam_revert_changeincludes\admin\class-unmam-admin.php:48
authwp_ajax_unmam_revert_bulkincludes\admin\class-unmam-admin.php:49
authwp_ajax_unmam_attach_singleincludes\admin\class-unmam-admin.php:50
authwp_ajax_unmam_trash_mediaincludes\admin\class-unmam-admin.php:52
authwp_ajax_unmam_restore_mediaincludes\admin\class-unmam-admin.php:53
authwp_ajax_unmam_delete_singleincludes\admin\class-unmam-admin.php:54
authwp_ajax_unmam_save_processing_modeincludes\admin\class-unmam-admin.php:58
authwp_ajax_unmam_bulk_attachincludes\admin\class-unmam-bulk-actions.php:49
authwp_ajax_unmam_bulk_detachincludes\admin\class-unmam-bulk-actions.php:50
authwp_ajax_unmam_bulk_mark_safeincludes\admin\class-unmam-bulk-actions.php:51
authwp_ajax_unmam_bulk_mark_unusedincludes\admin\class-unmam-bulk-actions.php:52
authwp_ajax_unmam_bulk_delete_unusedincludes\admin\class-unmam-bulk-actions.php:53
authwp_ajax_unmam_replace_attachmentincludes\admin\class-unmam-bulk-actions.php:54
authwp_ajax_unmam_get_attachment_usageincludes\admin\class-unmam-media-modal.php:47
authwp_ajax_unmam_attach_to_postincludes\admin\class-unmam-media-modal.php:48
authwp_ajax_unmam_detach_from_postincludes\admin\class-unmam-media-modal.php:49
authwp_ajax_unmam_mark_safeincludes\admin\class-unmam-media-modal.php:50
authwp_ajax_unmam_unmark_safeincludes\admin\class-unmam-media-modal.php:51
authwp_ajax_unmam_async_processincludes\class-unmam-background-processor.php:95
noprivwp_ajax_unmam_async_processincludes\class-unmam-background-processor.php:96
authwp_ajax_unmam_start_background_scanincludes\class-unmam-background-processor.php:99
authwp_ajax_unmam_pause_scanincludes\class-unmam-background-processor.php:100
authwp_ajax_unmam_resume_scanincludes\class-unmam-background-processor.php:101
authwp_ajax_unmam_stop_scanincludes\class-unmam-background-processor.php:102
authwp_ajax_unmam_get_scan_statusincludes\class-unmam-background-processor.php:103
authwp_ajax_unmam_process_scan_batchincludes\class-unmam-background-processor.php:106
authwp_ajax_unmam_start_jobincludes\class-unmam-job-queue.php:111
authwp_ajax_unmam_stop_jobincludes\class-unmam-job-queue.php:112
authwp_ajax_unmam_get_job_statusincludes\class-unmam-job-queue.php:113
authwp_ajax_unmam_pause_jobincludes\class-unmam-job-queue.php:114
authwp_ajax_unmam_resume_jobincludes\class-unmam-job-queue.php:115
authwp_ajax_unmam_process_job_batchincludes\class-unmam-job-queue.php:118
WordPress Hooks 23
actionadmin_menuincludes\admin\class-unmam-admin.php:41
actionadmin_enqueue_scriptsincludes\admin\class-unmam-admin.php:42
filterbulk_actions-uploadincludes\admin\class-unmam-bulk-actions.php:42
filterhandle_bulk_actions-uploadincludes\admin\class-unmam-bulk-actions.php:43
actionadmin_noticesincludes\admin\class-unmam-bulk-actions.php:46
filterattachment_fields_to_editincludes\admin\class-unmam-media-modal.php:44
actionadmin_enqueue_scriptsincludes\admin\class-unmam-media-modal.php:54
filtermanage_media_columnsincludes\admin\class-unmam-media-modal.php:57
actionmanage_media_custom_columnincludes\admin\class-unmam-media-modal.php:58
filtercron_schedulesincludes\class-unmam-background-processor.php:88
filtercron_schedulesincludes\class-unmam-job-queue.php:105
actioninitunattached-media-manager.php:179
actionrest_api_initunattached-media-manager.php:180
actionunmam_background_scanunattached-media-manager.php:183
actionunmam_index_single_postunattached-media-manager.php:184
actionsave_postunattached-media-manager.php:187
actiondelete_postunattached-media-manager.php:188
actionadd_attachmentunattached-media-manager.php:189
actiondelete_attachmentunattached-media-manager.php:190
actionupdated_post_metaunattached-media-manager.php:191
actionadded_post_metaunattached-media-manager.php:192
actiondeleted_post_metaunattached-media-manager.php:193
actionacf/save_postunattached-media-manager.php:196

Scheduled Events 5

unmam_background_scan
unmam_index_single_post
unmam_index_single_post
unmam_index_single_post
unmam_index_single_post
Maintenance & Trust

Unattached Media Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.4
Downloads294

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Unattached Media Manager Alternatives

Media Gallery Cleaner

Media Gallery Cleaner

media-gallery-cleaner

A
100

Scans your website and identifies unused media files for cleanup.

0 No CVEs
Media Sifter

Media Sifter

media-sifter

A
100

Find and remove unused/orphan media files safely. Dry-run scan, preview, and bulk-delete to reclaim storage.

0 No CVEs
Media Trim — Unused & Duplicate Media Cleaner

Media Trim — Unused & Duplicate Media Cleaner

media-trim

A
100

Clean up your WordPress media library by finding and removing unused, duplicate, and orphaned media files. Reclaim disk space instantly.

0 No CVEs
Fix Media Library

Fix Media Library

wow-media-library-fix

C
63

Fix Media Library inconsistency between database and wp-content/uploads folder contents. Unused image files, broken media library entries, missing att …

2K 1 unpatched
Upgrade for Unattach and Re-attach Media Attachments

Upgrade for Unattach and Re-attach Media Attachments

upgrade-for-unattach-re-attach-media-attachments

A
85

Allows to unattach and reattach images and other attachments from within the media library page.

300 No CVEs
Developer Profile

Unattached Media Manager Developer Profile

sungraizfaryad

3 plugins · 1K total installs

92
trust score
Avg Security Score
97/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Unattached Media Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/unattached-media-manager/assets/css/unmam.css/wp-content/plugins/unattached-media-manager/assets/js/unmam.js/wp-content/plugins/unattached-media-manager/assets/js/unmam-media-modal.js
Script Paths
/wp-content/plugins/unattached-media-manager/assets/js/unmam.js/wp-content/plugins/unattached-media-manager/assets/js/unmam-media-modal.js
Version Parameters
unattached-media-manager/assets/css/unmam.css?ver=unattached-media-manager/assets/js/unmam.js?ver=unattached-media-manager/assets/js/unmam-media-modal.js?ver=

HTML / DOM Fingerprints

CSS Classes
unmam-attachment-manager-wrapperunmam-history-tableunmam-media-modal-content
HTML Comments
<!-- Unattached Media Manager settings --><!-- Unattached Media Manager history --><!-- Unattached Media Manager bulk actions --><!-- Unattached Media Manager media modal -->
Data Attributes
data-unmam-post-iddata-unmam-attachment-iddata-unmam-modal-targetdata-unmam-actiondata-unmam-nonce
JS Globals
unmam_varsunmam_admin_paramsunmam_media_modal_params
REST Endpoints
/wp-json/unmam/v1/scan/wp-json/unmam/v1/attach-all/wp-json/unmam/v1/get-history/wp-json/unmam/v1/get-settings/wp-json/unmam/v1/save-settings
FAQ

Frequently Asked Questions about Unattached Media Manager