Critical Vulnerability Fixed in External Media Plugin

The Wordfence Intelligence team revealed the details of a vulnerability in External Media, a WordPress plugin used by 8,000+ sites.

This flaw allowed authenticated attackers to upload arbitrary files, which could then be used to achieve remote code execution and complete site takeover.

On February 2, 2021, the Wordfence team contacted the plugin’s creator for the first time. After several minor updates and follow-ups with the developer, a completely patched version, version 1.0.34, was released.

External Media Plugin Changelog

External Media is a WordPress plugin that allows users to upload media files from other sources. Unfortunately, the plugin had a flaw that enabled authenticated low-level users, such as subscribers, to upload PHP files from untrusted sources.



“This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, v1.0.34, immediately.”, Wordfence said in a blog post.


Disclosure: Our content is reader-supported, which means that if you click on some of our links that we may earn a commission.