Vulnerabilities ›

CVE-2026-6670

Medium

CWE-22 — Weakness Type

                    Published: May 14, 2026                      ·  Modified: May 17, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters. This is due to insufficient validation of user-supplied file paths, which are not checked for directory traversal sequences or restricted to the intended uploads directory. This makes it possible for authenticated attackers, with Author-level access and above, to perform actions on files outside of the originally intended directory.

🤖 AI Executive Summary

The Media Sync WordPress plugin versions up to 1.4.9 contains a path traversal vulnerability in the 'sub_dir' and 'media_items' parameters that allows authenticated attackers with Author-level access to access files outside the intended uploads directory. Attackers can exploit insufficient input validation to perform unauthorized file operations on the server.

📄 Description (Arabic)

ثغرة اجتياز المسار في إضافة Media Sync لـ WordPress تسمح للمهاجمين المصرح لهم بمستوى المؤلف أو أعلى بالوصول إلى الملفات خارج مجلد التحميل المقصود. تنتج الثغرة عن عدم كفاية التحقق من صحة مسارات الملفات المدخلة من قبل المستخدم، مما يسمح باجتياز تسلسلات المجلدات.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 02:00

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1083 T1190 T1566

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update the Media Sync plugin to version 1.5.0 or later immediately. Implement strict input validation for file path parameters. Restrict file operations to the designated uploads directory only. Review user access permissions and limit Author-level privileges where unnecessary. Monitor file access logs for suspicious activity.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Media Sync إلى الإصدار 1.5.0 أو أحدث فوراً. طبق التحقق الصارم من صحة مدخلات مسارات الملفات. قيد عمليات الملفات على مجلد التحميل المخصص فقط. راجع أذونات وصول المستخدمين وقلل امتيازات مستوى المؤلف حيث لا تكون ضرورية. راقب سجلات الوصول إلى الملفات للكشف عن النشاط المريب.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

AC-2 AC-3 SI-10

🔵 SAMA CSF

CC6.1 CC6.2 CC7.2

🟡 ISO 27001:2022

A.9.2.1 A.9.4.3 A.14.2.1

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3511221/media-sync

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebbc420d-43fd-48c4-8507-6d94b...

security@wordfence.com

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-22

EPSS0.51%

Exploit No

Patch ✗ No

Published 2026-05-14

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-22

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-6670

Introduce Yourself

Sign In Required