PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9690 Joomunited CVE debrief

CVE-2026-9690 is a high-severity vulnerability in WP Media folder Addon versions <= 4.0.1. It allows unauthenticated arbitrary file downloads, posing a significant risk to affected systems. The vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The CVE was published on 2026-06-17T13:21:35.147Z and last modified on 2026-06-17T17:17:28.293Z. Users of the affected plugin should take immediate action to mitigate the risk.

Vendor
Joomunited
Product
WP Media folder Addon
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Administrators and users of WordPress sites with the WP Media folder Addon plugin installed, especially those using versions <= 4.0.1, should be aware of this vulnerability and take necessary precautions.

Technical summary

The vulnerability is an unauthenticated arbitrary file download issue in the WP Media folder Addon plugin. It has been assigned a CVSS score of 7.5 and a severity of HIGH. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a high impact on confidentiality. The weakness is classified as CWE-22.

Defensive priority

High

Recommended defensive actions

  • Update the WP Media folder Addon plugin to a version greater than 4.0.1.
  • Restrict access to sensitive files and directories.
  • Implement additional security measures, such as web application firewalls (WAFs).
  • Monitor systems for suspicious activity.
  • Consider removing the plugin if not necessary.
  • Keep WordPress and all plugins up-to-date.
  • Use secure protocols for file transfers.

Evidence notes

The information provided is based on data from official sources, including the CVE.org and NVD. The CVE record and NVD detail pages provide further information on the vulnerability.

Official resources

public