cleantalk
Vulnerabilities and Security Researches

Media Sync, CVE-2026-6670

CVE, Research URL

CVE-2026-6670

Home page URL

Security reports for Media Sync

Application

Media Sync

Published on
May 14, 2026
Research Description
The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.
Affected versions
max 1.5.0.
Status
vulnerable
Previous vulnerability researches
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (CVE-2026-5371) , May 13, 2026
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (CVE-2022-3904) , Jun 07, 2024
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (CVE-2023-0081) , Jun 07, 2024
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (CVE-2014-9174) , Jun 07, 2024
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) (CVE-2023-23999) , Jun 07, 2024
New vulnerability
Media Sync (CVE-2026-6670) , May 15, 2026
Royal Elementor Addons and Templates (CVE-2026-6504) , May 15, 2026
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress (CVE-2026-7619) , May 15, 2026
HUSKY – Products Filter for WooCommerce Professional (CVE-2020-37174) , May 15, 2026
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder (CVE-2026-6828) , May 15, 2026