WordPress Plugin Vulnerabilities

Rename Media Files <= 1.0.1 - Authenticated (Contributor+) Remote Code Execution

Description

The Rename Media Files plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server.

Affects Plugins

Plugin icon
rename-media-files
No known fix

References

CVE
CVE-2023-32095
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c22c2c17-c9c5-46eb-877a-a49ccf1a74ef

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
8.8 (High)

Miscellaneous

Original Researcher
Taihei Shimamine
Verified
No
WPVDB ID
2b7966f3-97ca-4e07-830a-44237b0956eb

Timeline

Publicly Published
2023-11-07 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-24 (about 2 years ago)

Other

Published
Title
Published
2026-03-19
Title
YML for Yandex Market < 5.0.26 - Shop Manager+ RCE via Feed Generation
Published
2025-05-22
Title
MetalpriceAPI < 1.1.5 - Contributor+ Remote Code Execution
Published
2017-08-26
Title
Multiple Plugins - Unauthenticated RCE via PHPUnit
Published
2025-06-23
Title
Content No Cache < 0.1.5 - Unauthenticated Arbitrary Function Call
Published
2021-05-25
Title
SP Project & Document Manager < 4.22 - Authenticated Shell Upload