Vulnerabilities and security researches formoving-media-library moving-media-library

Mar 07, 2025

CVE, Research URL: CVE-2024-13897
Home page URL: Security reports for Moving Media Library
Application: Moving Media Library
Date: Mar 06, 2025
Research Description: The Moving Media Library plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the generate_json_page function in all versions up to, and including, 1.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions: max 1.23.
Status: vulnerable