Description
Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library File Size: from n/a through <= 1.6.7.
Published: 2026-01-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to plugin functionality
Action: Patch
AI Analysis

Impact

The CVE identifies a missing authorization flaw in the Media Library File Size plug‑in (Sully). The vulnerability allows attackers to exploit incorrectly configured access control, potentially granting unauthorized users the ability to modify plugin settings or access media resources. This weakness is classified as CWE‑862. The description does not mention remote code execution or direct data exfiltration capabilities.

Affected Systems

WordPress Media Library File Size plug‑in released by Sully, affecting all releases up through and including version 1.6.7.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to reach the WordPress site via the web interface and leverage the plug‑in’s administrative endpoints that lack proper authorization checks. The CVE text does not specify the exact interaction method; the likely attack vector is inferred from the plugin’s admin functionality, though this inference is not explicitly stated in the CVE data.

Generated by OpenCVE AI on April 16, 2026 at 07:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Media Library File Size plug‑in to a version newer than 1.6.7 that removes the missing authorization flaw.
  • If an immediate upgrade is not possible, restrict access to the plug‑in’s admin URLs by configuring the site’s .htaccess file or using a security plug‑in to allow only administrators to reach the "media-library-file-size" endpoints.
  • Review the WordPress site’s role‑based permissions to ensure that only users with administrative privileges can manage plug‑in settings or media library files.

Generated by OpenCVE AI on April 16, 2026 at 07:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sully
Sully media Library File Size
Wordpress
Wordpress wordpress
Vendors & Products Sully
Sully media Library File Size
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media Library File Size: from n/a through <= 1.6.7.
Title WordPress Media Library File Size plugin <= 1.6.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Sully Media Library File Size
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:19.088Z

Reserved: 2026-01-23T12:31:58.117Z

Link: CVE-2026-24569

cve-icon Vulnrichment

Updated: 2026-01-26T18:43:36.993Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:14.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses