WP-Safety

WP Media Category Management Security & Risk Analysis

wordpress.org/plugins/wp-media-category-management

A plugin to provide bulk category management functionality for media in WordPress sites.

6K active installs v2.5.0 PHP + WP 5.9+ Updated Dec 14, 2025
bulk-togglemedia-categorymedia-filtertoggle-categoryuser-media-management
99
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 18, 2025
Plugin page Download
Safety Verdict

Is WP Media Category Management Safe to Use in 2026?

Generally Safe

Score 99/100

WP Media Category Management has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Feb 18, 2025Updated 3mo ago
Risk Assessment

The "wp-media-category-management" v2.5.0 plugin exhibits a generally good security posture, with a strong emphasis on input sanitization and authorization checks. The static analysis reveals a clean code base with no identified dangerous functions, file operations, or external HTTP requests. Furthermore, 100% of identified outputs are properly escaped, and a high percentage (89%) of SQL queries utilize prepared statements, significantly reducing the risk of common vulnerabilities. The plugin also incorporates a healthy number of nonce and capability checks across its entry points, indicating a deliberate effort to secure administrative functionalities.

However, there are a couple of areas that warrant attention. The presence of one unsanitized path in the taint analysis, although not flagged as critical or high severity, suggests a potential for subtle vulnerabilities if not addressed. Additionally, the plugin's history of two medium-severity CVEs, particularly those related to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), even though they are currently patched, indicates past weaknesses. The recurrence of these vulnerability types suggests a need for continued vigilance in code review and security testing to prevent similar issues from re-emerging.

In conclusion, "wp-media-category-management" v2.5.0 is a relatively secure plugin that implements many best practices. The low number of unprotected entry points and robust use of security features are commendable. However, the single unsanitized path flow and the historical pattern of CSRF/XSS vulnerabilities mean that ongoing security attention is still necessary. Developers should continue to prioritize thorough code reviews and testing to ensure these historical weaknesses do not resurface.

Key Concerns

  • Taint flow with unsanitized path
  • Past medium severity vulnerabilities
Vulnerabilities
2

WP Media Category Management Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-0865medium · 6.5Cross-Site Request Forgery (CSRF)

WP Media Category Management 2.0 - 2.3.3 - Cross-Site Request Forgery to Settings Update

Feb 18, 2025 Patched in 2.4.0 (1d)
CVE-2024-32950medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Media Category Management <= 2.2 - Reflected Cross-Site Scripting

Apr 22, 2024 Patched in 2.3.0 (8d)
Code Analysis
Analyzed Mar 16, 2026

WP Media Category Management Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
8 prepared
Unescaped Output
14
86 escaped
Nonce Checks
5
Capability Checks
10
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

89% prepared9 total queries

Output Escaping

86% escaped100 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
mcm_custom_bulk_admin_notices (include\media\class-WP_MCM_Media_List.php:390)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Media Category Management Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_mcm_dismiss_noticeinclude\class-WP_MCM_Plugin.php:84
authwp_ajax_save-attachment-compatinclude\taxonomy\class-WP_MCM_Taxonomy_Admin.php:62
WordPress Hooks 43
actionadmin_initinclude\admin\class-WP_MCM_Admin.php:72
actionadmin_initinclude\admin\class-WP_MCM_Admin.php:73
actionadmin_menuinclude\admin\class-WP_MCM_Admin.php:74
actionadmin_enqueue_scriptsinclude\admin\class-WP_MCM_Admin.php:75
actionadmin_print_scriptsinclude\admin\class-WP_MCM_Admin.php:140
actionadmin_noticesinclude\admin\class-WP_MCM_Admin.php:181
actionnetwork_admin_noticesinclude\admin\class-WP_MCM_Admin.php:183
actionadmin_initinclude\admin\class-WP_MCM_Settings.php:29
actioninitinclude\class-WP_MCM_Plugin.php:82
actionwp_enqueue_scriptsinclude\class-WP_MCM_Plugin.php:86
actionrestrict_manage_postsinclude\media\class-WP_MCM_Media_Admin.php:43
actionwp_enqueue_mediainclude\media\class-WP_MCM_Media_Admin.php:45
actionadd_attachmentinclude\media\class-WP_MCM_Media_Admin.php:47
actionedit_attachmentinclude\media\class-WP_MCM_Media_Admin.php:48
filterajax_query_attachments_argsinclude\media\class-WP_MCM_Media_Admin.php:50
filtermanage_taxonomies_for_attachment_columnsinclude\media\class-WP_MCM_Media_List.php:50
filtermanage_media_columnsinclude\media\class-WP_MCM_Media_List.php:56
filtermanage_upload_sortable_columnsinclude\media\class-WP_MCM_Media_List.php:57
actionmanage_media_custom_columninclude\media\class-WP_MCM_Media_List.php:58
filtermedia_row_actionsinclude\media\class-WP_MCM_Media_List.php:65
actionadmin_footer-upload.phpinclude\media\class-WP_MCM_Media_List.php:73
actionload-upload.phpinclude\media\class-WP_MCM_Media_List.php:74
actionadmin_noticesinclude\media\class-WP_MCM_Media_List.php:75
actionadmin_enqueue_scriptsinclude\media\class-WP_MCM_Media_List.php:76
filterwp_print_stylesinclude\shortcode\class-WP_MCM_Shortcode.php:111
actioninitinclude\taxonomy\class-WP_MCM_Taxonomy.php:69
filterpre_get_postsinclude\taxonomy\class-WP_MCM_Taxonomy.php:70
filterwp_get_attachment_linkinclude\taxonomy\class-WP_MCM_Taxonomy.php:71
filterget_the_archive_titleinclude\taxonomy\class-WP_MCM_Taxonomy.php:77
filterattachment_fields_to_editinclude\taxonomy\class-WP_MCM_Taxonomy_Admin.php:56
filterrequestinclude\taxonomy\class-WP_MCM_Taxonomy_Admin.php:63
filterwp_get_attachment_linkinclude\taxonomy\class-WP_MCM_Taxonomy_Admin.php:64
filterconnect_urlwp-media-category-management.php:237
filterafter_skip_urlwp-media-category-management.php:238
filterafter_connect_urlwp-media-category-management.php:239
filterafter_pending_connect_urlwp-media-category-management.php:240
filterpricing_urlwp-media-category-management.php:241
actionplugins_loadedwp-media-category-management.php:269
actionadmin_initwp-media-category-management.php:288
actionuser_admin_menuwp-media-category-management.php:289
actionadmin_menuwp-media-category-management.php:291
actionafter_uninstallwp-media-category-management.php:324
actiondmp_addpanelwp-media-category-management.php:373
Maintenance & Trust

WP Media Category Management Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 14, 2025
PHP min version
Downloads243K

Community Trust

Rating94/100
Number of ratings35
Active installs6K
Alternatives

WP Media Category Management Alternatives

WP Attachment Filter by HocWP Team

WP Attachment Filter by HocWP Team

attachment-filter-by-hocwp-team

A
85

Attachment Filter by HocWP Team lets you create categories to group your media files. You can not only filter media by date and format, but also creat &hellip;

0 No CVEs
SortMeThis

SortMeThis

sort-me-this

A
100

Manage your WordPress media in a deeper and more precise way!

0 No CVEs
Developer Profile

WP Media Category Management Developer Profile

DeBAAT

7 plugins · 6K total installs

90
trust score
Avg Security Score
86/100
Avg Patch Time
5 days
View full developer profile
Detection Fingerprints

How We Detect WP Media Category Management

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-media-category-management/css/wp-mcm-media-modal.css/wp-content/plugins/wp-media-category-management/css/wp-mcm-media-grid.css/wp-content/plugins/wp-media-category-management/css/wp-mcm-admin.css/wp-content/plugins/wp-media-category-management/css/wp-mcm-bulk-edit-modal.css/wp-content/plugins/wp-media-category-management/css/wp-mcm-bulk-edit-grid.css/wp-content/plugins/wp-media-category-management/css/wp-mcm-imexport.css/wp-content/plugins/wp-media-category-management/css/wp-mcm-settings.css/wp-content/plugins/wp-media-category-management/js/wp-mcm-media-grid.js+4 more
Script Paths
/wp-content/plugins/wp-media-category-management/js/wp-mcm-media-grid.js/wp-content/plugins/wp-media-category-management/js/wp-mcm-media-modal.js/wp-content/plugins/wp-media-category-management/js/wp-mcm-media-bulk-edit.js/wp-content/plugins/wp-media-category-management/js/wp-mcm-imexport.js/wp-content/plugins/wp-media-category-management/js/wp-mcm-settings.js
Version Parameters
wp-media-category-management/css/wp-mcm-media-modal.css?ver=wp-media-category-management/css/wp-mcm-media-grid.css?ver=wp-media-category-management/css/wp-mcm-admin.css?ver=wp-media-category-management/css/wp-mcm-bulk-edit-modal.css?ver=wp-media-category-management/css/wp-mcm-bulk-edit-grid.css?ver=wp-media-category-management/css/wp-mcm-imexport.css?ver=wp-media-category-management/css/wp-mcm-settings.css?ver=wp-media-category-management/js/wp-mcm-media-grid.js?ver=wp-media-category-management/js/wp-mcm-media-modal.js?ver=wp-media-category-management/js/wp-mcm-media-bulk-edit.js?ver=wp-media-category-management/js/wp-mcm-imexport.js?ver=wp-media-category-management/js/wp-mcm-settings.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-mcm-media-modalwp-mcm-media-gridwp-mcm-adminwp-mcm-bulk-edit-modalwp-mcm-bulk-edit-gridwp-mcm-imexportwp-mcm-settingswp_mcm_media_categories+1 more
HTML Comments
<!-- WP Media Category Management Addon --><!-- WP Media Category Management Addon: Bulk Edit Grid -->
Data Attributes
data-wp-mcm-media-iddata-wp-mcm-actiondata-wp-mcm-settings-typedata-wp-mcm-section
JS Globals
wp_mcm_media_gridwp_mcm_media_modalwp_mcm_media_bulk_editwp_mcm_imexportwp_mcm_settingsWP_MCM_AJAX_URL
REST Endpoints
/wp-json/wp_mcm/v1/media/wp-json/wp_mcm/v1/categories/wp-json/wp_mcm/v1/settings
FAQ

Frequently Asked Questions about WP Media Category Management