A Broken Access Control vulnerability has been identified in the WordPress Media from FTP plugin. This vulnerability could allow an unprivileged user to upload arbitrary files to the website, potentially compromising the security of the website. This plugin vulnerability, discovered and responsibly reported by Marc-Alexandre Montpas, could potentially compromise the website’s integrity and security.

The vulnerability is a Broken Access Control vulnerability that occurs in the class-media-from-ftp.php file. The vulnerability allows an unprivileged user to upload arbitrary files to the website by specifying a malicious file path in the file parameter of the upload_file function.


With a CVSS 3.1 score of 6.3, this vulnerability is classified as medium severity.

Affected Versions:

The vulnerability affects Media from FTP plugin versions prior to 11.16.


An attacker who successfully exploits this vulnerability could upload arbitrary files to the website, such as malicious scripts or malware. These files could then be executed by visitors to the website, potentially leading to a variety of security risks, such as:

  • Stealing cookies or session tokens
  • Hijacking user accounts
  • Conducting phishing attacks
  • Damaging the website’s files or database


To protect the website and users from potential exploitation, swift and decisive action is essential:

  1. Update Immediately: Ensure the Media from FTP Plugin is updated to at least version 11.16 or the latest available version. This update contains critical fixes to address the Broken Access Control vulnerability and enhance the overall security of the plugin.
  2. Regular Security Audits: Conduct routine security audits of the WordPress website to identify and rectify vulnerabilities proactively. Regular updates and patches are pivotal for maintaining a secure environment.
  3. Stay Informed: Monitor official sources for any updates or advisories related to the Media from FTP Plugin. Timely updates and awareness are key to ensuring your website’s security.