Description
The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.
Published: 2026-05-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Media Sync plugin for WordPress is vulnerable to path traversal as a result of insufficient validation on the 'sub_dir' and 'media_items' parameters. Because the plugin accepts file paths for uploads without checking for directory traversal sequences or restricting them to the intended uploads directory, an attacker who can authenticate with Author-level or higher access can construct requests that resolve to arbitrary files on the server. The flaw can lead to reading, modifying, or deleting files outside the plugin’s scoped directory, thereby compromising data integrity, confidentiality, or availability of the WordPress installation.

Affected Systems

This issue impacts installations of erolsk8 Media Sync plugin up to and including version 1.4.9. Any WordPress site that has the plugin active and allows author‑level or higher permissions is affected.

Risk and Exploitability

A CVSS score of 6.5 classifies the vulnerability as medium severity; the exploit requires authenticated access, typically granted to content authors. The EPSS score is unavailable, and the issue is not listed in CISA’s known exploited vulnerabilities catalog. The attack vector is authenticated, meaning an attacker must first obtain author‑level credentials. Once authenticated, traversal can be used to access arbitrary files, potentially leading to data leakage or server compromise. No public exploitation evidence exists, so the current risk is moderate but remediation is strongly recommended.

Generated by OpenCVE AI on May 14, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Media Sync plugin to version 1.5.0 or later, which removes the unvalidated path traversal code.
  • Restrict author‑level permissions to trusted administrators only, or disable the plugin entirely if it is not required for site operation.
  • As a temporary measure, modify the plugin’s input handling to reject any 'sub_dir' or 'media_items' value that contains directory traversal characters (e.g., '..') until the official update is applied.

Generated by OpenCVE AI on May 14, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Erolsk8
Erolsk8 media Sync
Wordpress
Wordpress wordpress
Vendors & Products Erolsk8
Erolsk8 media Sync
Wordpress
Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.
Title Media Sync <= 1.4.9 - Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Erolsk8 Media Sync
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:43:20.814Z

Reserved: 2026-04-20T12:56:59.102Z

Link: CVE-2026-6670

cve-icon Vulnrichment

Updated: 2026-05-14T10:43:16.312Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T07:16:21.277

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-6670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:32:51Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')