Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by Meow Apps
CVE-2026-27407 (GCVE-0-2026-27407)
Vulnerability from nvd – Published: 2026-06-15 20:17 – Updated: 2026-06-16 18:11
VLAI
Title
WordPress AI Engine plugin <= 3.4.9 - Privilege Escalation vulnerability
Summary
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T18:11:07.883070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T18:11:25.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ai-engine",
"product": "AI Engine",
"vendor": "Meow Apps",
"versions": [
{
"changes": [
{
"at": "3.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.4.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Editor Privilege Escalation in AI Engine \u003c= 3.4.9 versions."
}
],
"value": "Editor Privilege Escalation in AI Engine \u003c= 3.4.9 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:17:35.477Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-4-9-privilege-escalation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress AI Engine Plugin to the latest available version (at least 3.5.0)."
}
],
"value": "Update the WordPress AI Engine Plugin to the latest available version (at least 3.5.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress AI Engine plugin \u003c= 3.4.9 - Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27407",
"datePublished": "2026-06-15T20:17:35.477Z",
"dateReserved": "2026-02-19T09:52:22.262Z",
"dateUpdated": "2026-06-16T18:11:25.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-50897 (GCVE-0-2023-50897)
Vulnerability from nvd – Published: 2026-01-05 13:29 – Updated: 2026-04-28 16:09 X_Open Source
VLAI
Title
WordPress Media File Renamer plugin <= 5.7.7 - Arbitrary File Rename lead to RCE vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://vdp.patchstack.com/database/wordpress/plu… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meow Apps | Media File Renamer |
Affected:
n/a , ≤ 5.7.7
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:46:50.539572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:46:58.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "media-file-renamer",
"product": "Media File Renamer",
"vendor": "Meow Apps",
"versions": [
{
"changes": [
{
"at": "5.7.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Taihei Shimamine | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.\u003cp\u003eThis issue affects Media File Renamer: from n/a through 5.7.7.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7."
}
],
"impacts": [
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:00.326Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Media File Renamer plugin to the latest available version (at least 5.7.8)."
}
],
"value": "Update the WordPress Media File Renamer plugin to the latest available version (at least 5.7.8)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Media File Renamer plugin \u003c= 5.7.7 - Arbitrary File Rename lead to RCE vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50897",
"datePublished": "2026-01-05T13:29:13.195Z",
"dateReserved": "2023-12-15T15:45:32.564Z",
"dateUpdated": "2026-04-28T16:09:00.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-36850 (GCVE-0-2021-36850)
Vulnerability from nvd – Published: 2021-10-04 16:57 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Media File Renamer – Auto & Manual Rename plugin <= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/media-file-renamer/… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/med… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meow Apps | Media File Renamer – Auto & Manual Rename (WordPress plugin) |
Affected:
<= 5.1.9 , ≤ 5.1.9
(custom)
|
Date Public
2021-04-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/media-file-renamer/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:48:31.675167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:48:34.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Media File Renamer \u2013 Auto \u0026 Manual Rename (WordPress plugin)",
"vendor": "Meow Apps",
"versions": [
{
"lessThanOrEqual": "5.1.9",
"status": "affected",
"version": "\u003c= 5.1.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - Ngo Van Thien (Patchstack Red Team)"
}
],
"datePublic": "2021-04-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin (versions \u003c= 5.1.9). Affected parameters \"post_title\", \"filename\", \"lock\". This allows changing the uploaded media title, media file name, and media locking state."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:34.328Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/media-file-renamer/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin \u003c= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-04-08T23:09:00.000Z",
"ID": "CVE-2021-36850",
"STATE": "PUBLIC",
"TITLE": "WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin \u003c= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Media File Renamer \u2013 Auto \u0026 Manual Rename (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 5.1.9",
"version_value": "5.1.9"
}
]
}
}
]
},
"vendor_name": "Meow Apps"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - Ngo Van Thien (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin (versions \u003c= 5.1.9). Affected parameters \"post_title\", \"filename\", \"lock\". This allows changing the uploaded media title, media file name, and media locking state."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/media-file-renamer/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/media-file-renamer/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36850",
"datePublished": "2021-10-04T16:57:04.025Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:34.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27407 (GCVE-0-2026-27407)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:17 – Updated: 2026-06-16 18:11
VLAI
Title
WordPress AI Engine plugin <= 3.4.9 - Privilege Escalation vulnerability
Summary
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T18:11:07.883070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T18:11:25.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ai-engine",
"product": "AI Engine",
"vendor": "Meow Apps",
"versions": [
{
"changes": [
{
"at": "3.5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.4.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Editor Privilege Escalation in AI Engine \u003c= 3.4.9 versions."
}
],
"value": "Editor Privilege Escalation in AI Engine \u003c= 3.4.9 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:17:35.477Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/ai-engine/vulnerability/wordpress-ai-engine-plugin-3-4-9-privilege-escalation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress AI Engine Plugin to the latest available version (at least 3.5.0)."
}
],
"value": "Update the WordPress AI Engine Plugin to the latest available version (at least 3.5.0)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress AI Engine plugin \u003c= 3.4.9 - Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27407",
"datePublished": "2026-06-15T20:17:35.477Z",
"dateReserved": "2026-02-19T09:52:22.262Z",
"dateUpdated": "2026-06-16T18:11:25.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-50897 (GCVE-0-2023-50897)
Vulnerability from cvelistv5 – Published: 2026-01-05 13:29 – Updated: 2026-04-28 16:09 X_Open Source
VLAI
Title
WordPress Media File Renamer plugin <= 5.7.7 - Arbitrary File Rename lead to RCE vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://vdp.patchstack.com/database/wordpress/plu… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meow Apps | Media File Renamer |
Affected:
n/a , ≤ 5.7.7
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T19:46:50.539572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T19:46:58.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "media-file-renamer",
"product": "Media File Renamer",
"vendor": "Meow Apps",
"versions": [
{
"changes": [
{
"at": "5.7.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Taihei Shimamine | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.\u003cp\u003eThis issue affects Media File Renamer: from n/a through 5.7.7.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7."
}
],
"impacts": [
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:00.326Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Media File Renamer plugin to the latest available version (at least 5.7.8)."
}
],
"value": "Update the WordPress Media File Renamer plugin to the latest available version (at least 5.7.8)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "WordPress Media File Renamer plugin \u003c= 5.7.7 - Arbitrary File Rename lead to RCE vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-50897",
"datePublished": "2026-01-05T13:29:13.195Z",
"dateReserved": "2023-12-15T15:45:32.564Z",
"dateUpdated": "2026-04-28T16:09:00.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-36850 (GCVE-0-2021-36850)
Vulnerability from cvelistv5 – Published: 2021-10-04 16:57 – Updated: 2026-04-28 16:07
VLAI
Title
WordPress Media File Renamer – Auto & Manual Rename plugin <= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer – Auto & Manual Rename plugin (versions <= 5.1.9). Affected parameters "post_title", "filename", "lock". This allows changing the uploaded media title, media file name, and media locking state.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/media-file-renamer/… | x_refsource_CONFIRM |
| https://patchstack.com/database/vulnerability/med… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Meow Apps | Media File Renamer – Auto & Manual Rename (WordPress plugin) |
Affected:
<= 5.1.9 , ≤ 5.1.9
(custom)
|
Date Public
2021-04-08 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.839Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/media-file-renamer/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36850",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:48:31.675167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:48:34.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Media File Renamer \u2013 Auto \u0026 Manual Rename (WordPress plugin)",
"vendor": "Meow Apps",
"versions": [
{
"lessThanOrEqual": "5.1.9",
"status": "affected",
"version": "\u003c= 5.1.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - Ngo Van Thien (Patchstack Red Team)"
}
],
"datePublic": "2021-04-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin (versions \u003c= 5.1.9). Affected parameters \"post_title\", \"filename\", \"lock\". This allows changing the uploaded media title, media file name, and media locking state."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:07:34.328Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/media-file-renamer/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin \u003c= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-04-08T23:09:00.000Z",
"ID": "CVE-2021-36850",
"STATE": "PUBLIC",
"TITLE": "WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin \u003c= 5.1.9 - Cross-Site Request Forgery (CSRF) vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Media File Renamer \u2013 Auto \u0026 Manual Rename (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 5.1.9",
"version_value": "5.1.9"
}
]
}
}
]
},
"vendor_name": "Meow Apps"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - Ngo Van Thien (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in WordPress Media File Renamer \u2013 Auto \u0026 Manual Rename plugin (versions \u003c= 5.1.9). Affected parameters \"post_title\", \"filename\", \"lock\". This allows changing the uploaded media title, media file name, and media locking state."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/media-file-renamer/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/media-file-renamer/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/media-file-renamer/wordpress-media-file-renamer-plugin-5-1-9-multiple-cross-site-request-forgery-csrf-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 5.2.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36850",
"datePublished": "2021-10-04T16:57:04.025Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2026-04-28T16:07:34.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}