CVE-2023-50897 is a critical security vulnerability affecting the Media File Renamer plugin for WordPress (by Meow Apps). The flaw arises from an unrestricted upload of files with dangerous types, allowing malicious files to be introduced into a site’s environment without proper validation.
- It affects Media File Renamer versions up to and including 5.7.7.
- The vulnerability enables dangerous file types to be uploaded and processed, potentially leading to severe consequences such as remote code execution or full site compromise.
Severity & Impact
- CVSS v3 Score: 9.1 (Critical) — indicating a severe vulnerability.
- Attack Vector: Network (can be exploited remotely).
- Attack Complexity: Low (no special conditions needed).
- Privileges Required: High (attacker must already be authenticated with elevated access).
- User Interaction: None required.
- Confidentiality / Integrity / Availability: All High impact if exploited.
This means if an attacker has high-level access (e.g., an admin), they could upload malicious files that the plugin improperly accepts, potentially leading to remote code execution or full server compromise.
The underlying weakness is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.
Mitigation & Fix
- Update the Plugin: Ensure Media File Renamer is updated to the latest version where this issue is fixed (versions above 5.7.7).
- Restrict File Uploads: Implement strict file validation and sanitization on your WordPress installation.
- Limit Admin Access: Minimize the number of users with elevated privileges.
- Monitor for Suspicious Uploads: Log and review file upload activity for unexpected types.
Summary
| Aspect | Details |
|---|---|
| CVE ID | CVE-2023-50897 |
| Affected Product | WordPress Media File Renamer plugin ≤ 5.7.7 |
| Severity | Critical (CVSS 9.1) |
| Impact | Potential remote code execution via malicious file upload |
| Fix | Update to plugin version > 5.7.7 |
