Scan free
MEDIUMCVE-2026-6670CVSS 6.5

CVE-2026-6670: Path Traversal in Media Sync WordPress Plugin

Platform

wordpress

Component

media-sync

Fixed in

1.5.0

View on NVD
Save

CVE-2026-6670 describes a Path Traversal vulnerability affecting the Media Sync plugin for WordPress. This flaw allows authenticated attackers, specifically those with Author-level access or higher, to potentially access sensitive files outside the intended uploads directory. The vulnerability impacts versions 1.0.0 through 1.4.9 and has been resolved in version 1.5.0.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

An attacker exploiting this Path Traversal vulnerability could read arbitrary files on the server. This includes potentially sensitive configuration files, database credentials, or other application data. While the vulnerability requires authentication (Author access or higher), this is a relatively low barrier to entry for many WordPress installations. Successful exploitation could lead to information disclosure, and in some cases, could be a stepping stone for further attacks, such as gaining shell access if sensitive credentials are exposed. The blast radius is limited to the server hosting the WordPress instance and the files accessible by the attacker.

Exploitation Context

The vulnerability was published on 2026-05-14. There is no indication of active exploitation campaigns targeting this vulnerability at the time of writing. The EPSS score is pending evaluation. Public Proof-of-Concept (POC) code is likely to emerge given the relatively straightforward nature of Path Traversal vulnerabilities.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N6.5MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentmedia-sync
Vendorwordfence
Minimum version1.0.0
Maximum version1.4.9
Fixed in1.5.0

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published

Mitigation and Workarounds

The primary mitigation for CVE-2026-6670 is to upgrade the Media Sync plugin to version 1.5.0 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing directory traversal sequences (e.g., ../) in the subdir and mediaitems parameters. Additionally, restrict file upload permissions to the intended uploads directory. After upgrading, verify the fix by attempting to access a file outside the uploads directory via the vulnerable parameters; the request should be denied.

How to fix

Update to version 1.5.0, or a newer patched version

Frequently asked questions

What is CVE-2026-6670 — Path Traversal in Media Sync WordPress Plugin?

CVE-2026-6670 is a security vulnerability in the Media Sync WordPress plugin allowing authenticated users to access files outside the intended uploads directory. It affects versions 1.0.0–1.4.9 and is classified as a Path Traversal vulnerability.

Am I affected by CVE-2026-6670 in Media Sync WordPress Plugin?

You are affected if your WordPress website uses the Media Sync plugin in versions 1.0.0 through 1.4.9. Check your plugin versions immediately to determine your risk level.

How do I fix CVE-2026-6670 in Media Sync WordPress Plugin?

Upgrade the Media Sync plugin to version 1.5.0 or later. If immediate upgrade is not possible, implement a WAF rule to block directory traversal attempts and restrict file upload permissions.

Is CVE-2026-6670 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2026-6670, but public POCs are likely to emerge.

Where can I find the official Media Sync advisory for CVE-2026-6670?

Refer to the Media Sync plugin's official website or WordPress plugin repository for the latest advisory and update information regarding CVE-2026-6670.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs
WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free
livefree scan

Scan your WordPress project now — no account

Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

Manual scanSlack/email alertsContinuous monitoringWhite-label reports

Drag & drop your dependency file

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...