WP-Safety

WP Media Categories Security & Risk Analysis

wordpress.org/plugins/wp-media-categories

Add categories to media & attachments.

800 active installs v2.1.0 PHP 7.0+ WP 5.0+ Updated Mar 31, 2026
attachmentcategoriescategorylibrarymedia
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVESep 26, 2025
Plugin page Download
Safety Verdict

Is WP Media Categories Safe to Use in 2026?

Mostly Safe

Score 78/100

WP Media Categories is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Sep 26, 2025Updated 1mo ago
Risk Assessment

The wp-media-categories v2.1.0 plugin exhibits a mixed security posture. While it demonstrates good practices in its SQL query handling and file operations, there are significant concerns regarding its attack surface and output sanitization. The presence of two unprotected AJAX handlers represents a direct vulnerability to unauthenticated attackers, potentially leading to unauthorized actions or information disclosure. Furthermore, the low percentage of properly escaped output (31%) indicates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site. The plugin's vulnerability history, including a known medium severity CVE for Cross-Site Request Forgery (CSRF), highlights a recurring pattern of security weaknesses. The fact that this CVE remains unpatched is a critical issue. Overall, while the plugin has some secure coding practices, the unprotected entry points, poor output escaping, and unpatched vulnerability significantly elevate its risk profile.

Key Concerns

  • Unprotected AJAX handlers (2)
  • Low percentage of properly escaped output (31%)
  • Unpatched CVE (1 medium)
  • Missing nonce checks on AJAX
Vulnerabilities
1 published

WP Media Categories Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-60134medium · 4.3Cross-Site Request Forgery (CSRF)

WP Media Categories <= 2.1.0 - Cross-Site Request Forgery

Sep 26, 2025Unpatched
Version History

WP Media Categories Release Timeline

v2.1.0Current1 CVE
CVE-2025-60134
Code Analysis
Analyzed Mar 16, 2026

WP Media Categories Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
22
10 escaped
Nonce Checks
1
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

31% escaped32 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<admin> (wp-media-categories\includes\admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WP Media Categories Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 2

authwp_ajax_query-attachmentswp-media-categories\includes\hooks.php:30
authwp_ajax_save-attachment-compatwp-media-categories\includes\hooks.php:33

Shortcodes 1

[mc-gallery] wp-media-categories\includes\hooks.php:45
WordPress Hooks 13
actioninitwp-media-categories\includes\hooks.php:13
actioninitwp-media-categories\includes\hooks.php:14
actionadmin_enqueue_scriptswp-media-categories\includes\hooks.php:17
actionadmin_footer-upload.phpwp-media-categories\includes\hooks.php:18
actionadmin_noticeswp-media-categories\includes\hooks.php:19
actionload-upload.phpwp-media-categories\includes\hooks.php:20
actionadd_attachmentwp-media-categories\includes\hooks.php:23
actionedit_attachmentwp-media-categories\includes\hooks.php:24
filterattachment_fields_to_editwp-media-categories\includes\hooks.php:27
actionrestrict_manage_postswp-media-categories\includes\hooks.php:36
filterrequestwp-media-categories\includes\hooks.php:39
actionpre_get_postswp-media-categories\includes\hooks.php:42
actionplugins_loadedwp-media-categories.php:38
Maintenance & Trust

WP Media Categories Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedMar 31, 2026
PHP min version7.0
Downloads20K

Community Trust

Rating92/100
Number of ratings7
Active installs800
Alternatives

WP Media Categories Alternatives

FOLDER TO CATEGORY LINK

FOLDER TO CATEGORY LINK

folder-to-category-link

A
85

Add categories to bulk media & attachments.

0 No CVEs
Media Library Categories

Media Library Categories

wp-media-library-categories

A
99

Adds the ability to use categories in the media library.

20K 2 CVEs
Categorify – WordPress Media Library Category & File Manager

Categorify – WordPress Media Library Category & File Manager

categorify

C
59

Organize your WordPress media files in categories via drag and drop.

1K 1 unpatched
Media Categories

Media Categories

media-categories-2

A
85

Easily assign categories to media with a clean, simple, and searchable category meta box. Then use the gallery shortcode to display category galleries

300 No CVEs
Acclectic Media Organizer

Acclectic Media Organizer

acclectic-media-organizer

C
63

A file manager for your media library. Organize your attachments, photos, and other media items into folders, and easily filter items by folder when y &hellip;

100 1 unpatched
Developer Profile

WP Media Categories Developer Profile

John James Jacoby

28 plugins · 331K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
1401 days
View full developer profile
Detection Fingerprints

How We Detect WP Media Categories

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-media-categories/assets/js/media-views.js/wp-content/plugins/wp-media-categories/assets/css/admin.css
Script Paths
/wp-content/plugins/wp-media-categories/wp-media-categories.php
Version Parameters
wp-media-categories/assets/css/admin.css?ver=wp-media-categories/assets/js/media-views.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-media-categories-media-grid-walker
Data Attributes
data-term_iddata-term_name
JS Globals
wp_media_categories_taxonomies
FAQ

Frequently Asked Questions about WP Media Categories