Does Upload Janitor have any unpatched vulnerabilities?

No. All known vulnerabilities in Upload Janitor have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Upload Janitor compatible with WordPress 2.9.2?

According to WordPress.org data, Upload Janitor 0.2 has been tested up to WordPress 2.9.2. Check the plugin's changelog for the latest compatibility information.

How often is Upload Janitor updated?

Upload Janitor was last updated on Jan 20, 2010. Frequent updates are generally a positive security signal.

What is Upload Janitor's security score?

Upload Janitor has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Upload Janitor Security & Risk Analysis

wordpress.org/plugins/upload-janitor

Clean up unused images and other files from your uploads folder.

50 active installs v0.2 PHP + WP 2.6+ Updated Jan 20, 2010

cleandeletefilesunusedupload

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Upload Janitor Safe to Use in 2026?

Generally Safe

Score 85/100

Upload Janitor has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 16yr ago

Risk Assessment

The 'upload-janitor' plugin v0.2 exhibits a mixed security posture. On the positive side, its attack surface appears minimal, with no identifiable AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication. The vulnerability history is also clean, with no recorded CVEs, suggesting a history of good security practices or a lack of past exploitation. However, the static analysis reveals significant concerns within the codebase itself. The presence of dangerous functions like `proc_open` and `create_function` raises immediate red flags, as these can be exploited for remote code execution if not handled with extreme caution. Furthermore, the taint analysis indicates that all analyzed flows involve unsanitized paths, which is a critical vulnerability, even though no specific severity was assigned at this stage. This suggests a high likelihood of path traversal vulnerabilities. The complete lack of output escaping is another major weakness, potentially leading to cross-site scripting (XSS) vulnerabilities. While the plugin has no known CVEs, the internal code quality issues, particularly with unsanitized paths and unescaped output, present a substantial inherent risk that could be exploited by a motivated attacker.

Key Concerns

Dangerous function: proc_open used
Dangerous function: create_function used
All flows with unsanitized paths
0% output escaping
SQL queries without prepared statements
No capability checks

Vulnerabilities

None known

Upload Janitor Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Upload Janitor Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

proc_open$proc = proc_open("tar zcf ".escapeshellarg(trailingslashit($upload['basedir']).$archive_name)." -C upload-janitor.php:383

create_function$subquery = join(' OR ', array_map(create_function('$term', "return '$wpdb->posts.post_content LIKE upload-janitor.php:489

SQL Query Safety

50% prepared2 total queries

Output Escaping

0% escaped27 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths

upload_janitor_controller (upload-janitor.php:24)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Upload Janitor Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 1

actionadmin_menuupload-janitor.php:524

Maintenance & Trust

Upload Janitor Maintenance & Trust

Maintenance Signals

WordPress version tested2.9.2

Last updatedJan 20, 2010

PHP min version

Downloads9K

Community Trust

Rating80/100

Number of ratings4

Active installs50

Alternatives

Upload Janitor Alternatives

Pro Uploads Cleaner

pro-uploads-cleaner

100

Scan and clean unused images from your WordPress uploads folder safely.

0 No CVEs

Media Hygiene: Remove or Delete Unused Images and More!

media-hygiene

The Media Hygiene plugin removes unused media from the WordPress library to free up space, reduce clutter, and improve server performance.

5K 3 CVEs

Media Wipe

media-wipe

100

AI-powered WordPress media management with intelligent unused media detection and enterprise security. Transform your cleanup workflow!

20 No CVEs

qCleanup

q-cleanup

This plugin allows you to delete unused and leftover files from upload dir. In one click you can rid of all unwanted files and reduce space usage.

10 No CVEs

Media Sifter

media-sifter

100

Find and remove unused/orphan media files safely. Dry-run scan, preview, and bulk-delete to reclaim storage.

0 No CVEs

Developer Profile

Upload Janitor Developer Profile

michaeltyson

3 plugins · 160 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Upload Janitor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/upload-janitor/spinner.gif

Version Parameters

upload-janitor/spinner.gif?ver=

HTML / DOM Fingerprints

CSS Classes

wrapul-disc

Data Attributes

id="upload_janitor_introduction"id="upload_janitor_searching"name="selections[]"name="stage"name="archive"name="continue"

JS Globals

jQuery

FAQ