CVE-2024-5855 - Vulnerability Details - OpenCVE

The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn't until version 3.0.2 that a capability check was added.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Media Hygiene	Media Hygiene
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve

History

Thu, 26 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Media Hygiene Media Hygiene media Hygiene
CPEs		cpe:2.3:a:media_hygiene:media_hygiene::::::::
Vendors & Products		Media Hygiene Media Hygiene media Hygiene
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-07-09T02:03:10.458Z

Updated: 2024-08-01T21:25:02.956Z

Reserved: 2024-06-11T12:52:40.797Z

Link: CVE-2024-5855

Vulnrichment

Updated: 2024-08-01T21:25:02.956Z

NVD

Status : Awaiting Analysis

Published: 2024-07-09T02:15:10.437

Modified: 2024-11-21T09:48:28.953

Link: CVE-2024-5855

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5855", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-06-11T12:52:40.797Z", "datePublished": "2024-07-09T02:03:10.458Z", "dateUpdated": "2024-08-01T21:25:02.956Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-07-09T02:03:10.458Z"}, "affected": [{"vendor": "slui", "product": "Media Hygiene: Remove or Delete Unused Images and More!", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn't until version 3.0.2 that a capability check was added."}], "title": "Media Hygiene <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-07-08T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"affected": [{"vendor": "media_hygiene", "product": "media_hygiene", "cpes": ["cpe:2.3:a:media_hygiene:media_hygiene:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "3.0.2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T14:20:20.039820Z", "id": "CVE-2024-5855", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-11T14:41:26.516Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:25:02.956Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail=", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:25:02.956Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5855", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-09T14:20:20.039820Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:media_hygiene:media_hygiene:*:*:*:*:*:*:*:*"], "vendor": "media_hygiene", "product": "media_hygiene", "versions": [{"status": "affected", "version": "0", "lessThan": "3.0.2", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:08:12.409Z"}}], "cna": {"title": "Media Hygiene <= 3.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "slui", "product": "Media Hygiene: Remove or Delete Unused Images and More!", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-07-08T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn't until version 3.0.2 that a capability check was added."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-07-09T02:03:10.458Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5855", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:25:02.956Z", "dateReserved": "2024-06-11T12:52:40.797Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-07-09T02:03:10.458Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn't until version 3.0.2 that a capability check was added."}, {"lang": "es", "value": "El complemento Media Hygiene: Remove or Delete Unused Images and More! para WordPress es vulnerable a la p\u00e9rdida no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en las acciones AJAX Bulk_action_delete y delete_single_image_call en todas las versiones hasta la 3.0.1 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen archivos adjuntos arbitrarios. Se agreg\u00f3 una verificaci\u00f3n nonce en la versi\u00f3n 3.0.1; sin embargo, no fue hasta la versi\u00f3n 3.0.2 que se agreg\u00f3 una verificaci\u00f3n de capacidad."}], "id": "CVE-2024-5855", "lastModified": "2024-11-21T09:48:28.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-07-09T02:15:10.437", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3112249%40media-hygiene&new=3112249%40media-hygiene&sfp_email=&sfph_mail="}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44b02690-462a-458b-88c9-89acc9c209cb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis"}