What is CVE-2026-9690?

CVE-2026-9690 is a critical vulnerability in the Media folder Addon plugin for WordPress, affecting versions up to 4.0.1. It allows unauthenticated attackers to exploit a Directory Traversal flaw to read arbitrary files on the server.

How does the vulnerability work?

The vulnerability arises from improper input validation in file download operations. Attackers can use path traversal sequences, such as ‘../’, to access files outside the intended directory, potentially exposing sensitive information.

Who is affected by this vulnerability?

Any WordPress site using the Media folder Addon plugin version 4.0.1 or earlier is affected. Administrators should verify their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Media folder Addon plugin installed. If it is version 4.0.1 or earlier, your site is at risk and should be updated immediately.

What is the recommended fix for this vulnerability?

The recommended fix is to update the Media folder Addon plugin to version 4.0.2 or later, which includes a patch that implements proper path validation to prevent exploitation.

What does the CVSS score of 9.1 mean?

A CVSS score of 9.1 indicates a critical severity level, meaning the vulnerability poses a significant risk to affected systems. Exploitation can lead to serious consequences, including data breaches.

What are the potential risks of this vulnerability?

If exploited, attackers can access sensitive files such as wp-config.php, which contains database credentials and other critical information. This can lead to full site compromise and data loss.

How does the proof of concept demonstrate the vulnerability?

The proof of concept typically involves sending a crafted request to the vulnerable endpoint with a path traversal parameter. This request allows the attacker to download sensitive files, demonstrating the exploitability of the vulnerability.

What measures can I take to mitigate the risk?

In addition to updating the plugin, consider implementing web application firewalls, monitoring for unusual access patterns, and regularly reviewing file permissions to enhance overall security.

Is there any additional information available on this vulnerability?

For more detailed information, refer to the official CVE database entry for CVE-2026-9690 and security advisories from WordPress security resources.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the plugin until a patch can be applied. Additionally, restrict access to the affected endpoints through server configuration.

Will future updates prevent similar vulnerabilities?

While updates can address specific vulnerabilities, it is crucial to maintain a regular update schedule for all plugins and themes. Regular security audits and code reviews can also help identify potential issues before they become vulnerabilities.

Published : June 20, 2026

CVE-2026-9690: Media folder Addon <= 4.0.1 Unauthenticated Arbitrary File Download PoC, Patch Analysis & Rule

CVE ID CVE-2026-9690

Plugin wp-media-folder-addon

Severity Critical (CVSS 9.1)

CWE 22

Vulnerable Version 4.0.1

Patched Version —

Disclosed June 3, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9690 (metadata-based): This vulnerability allows unauthenticated attackers to download arbitrary files from the WordPress server through the Media folder Addon plugin. The plugin versions up to and including 4.0.1 are affected. The CVSS score is 9.1, indicating critical severity.

The root cause is a Path Traversal vulnerability (CWE-22). The plugin likely fails to properly sanitize user-supplied input used in file read operations. The attacker can inject directory traversal sequences such as ‘../’ to escape the intended directory. Based on the CWE classification and description, this vulnerability most likely exists in a file download handler that reads files based on a user-controlled parameter without validating the resolved path remains within an allowed directory. No code diff is available for confirmation.

Exploitation targets an AJAX handler or REST endpoint that serves file downloads. The plugin slug ‘wp-media-folder-addon’ suggests an endpoint like /wp-admin/admin-ajax.php with action parameter ‘media_folder_download’ or similar. The attacker sends a request with a parameter containing path traversal sequences, e.g., file=../../../wp-config.php. Since no authentication is required, any unauthenticated user can exploit this to read sensitive files.

The remediation requires adding proper path validation. The fix in version 4.0.2 likely implements realpath() or similar to canonicalize the file path and then verifies it starts with the allowed base directory. Input validation should also strip or reject path traversal sequences before the path is used.

The impact is high. Attackers can read the wp-config.php file containing database credentials, encryption keys, and other secrets. This can lead to full site compromise, data breaches, and potentially lateral movement if database credentials are reused elsewhere.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-9690 (metadata-based)
# Block directory traversal in file download parameters
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-9690 Media folder Addon path traversal attempt',severity:'CRITICAL',tag:'CVE-2026-9690'"
  SecRule ARGS_POST:action "@streq media_folder_download" "chain"
    SecRule ARGS_POST:file "@rx ../" 
      "t:none"

# Alternative action name variant
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-9690 Media folder Addon path traversal attempt',severity:'CRITICAL',tag:'CVE-2026-9690'"
  SecRule ARGS_POST:action "@streq download_file" "chain"
    SecRule ARGS_POST:path "@rx ../" 
      "t:none"

Frequently Asked Questions

What is CVE-2026-9690?
Overview of the vulnerability
CVE-2026-9690 is a critical vulnerability in the Media folder Addon plugin for WordPress, affecting versions up to 4.0.1. It allows unauthenticated attackers to exploit a Directory Traversal flaw to read arbitrary files on the server.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from improper input validation in file download operations. Attackers can use path traversal sequences, such as ‘../’, to access files outside the intended directory, potentially exposing sensitive information.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Media folder Addon plugin version 4.0.1 or earlier is affected. Administrators should verify their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Media folder Addon plugin installed. If it is version 4.0.1 or earlier, your site is at risk and should be updated immediately.
What is the recommended fix for this vulnerability?
Steps to remediate the issue
The recommended fix is to update the Media folder Addon plugin to version 4.0.2 or later, which includes a patch that implements proper path validation to prevent exploitation.
What does the CVSS score of 9.1 mean?
Understanding severity ratings
A CVSS score of 9.1 indicates a critical severity level, meaning the vulnerability poses a significant risk to affected systems. Exploitation can lead to serious consequences, including data breaches.
What are the potential risks of this vulnerability?
Impact of exploitation
If exploited, attackers can access sensitive files such as wp-config.php, which contains database credentials and other critical information. This can lead to full site compromise and data loss.
How does the proof of concept demonstrate the vulnerability?
Understanding the PoC
The proof of concept typically involves sending a crafted request to the vulnerable endpoint with a path traversal parameter. This request allows the attacker to download sensitive files, demonstrating the exploitability of the vulnerability.
What measures can I take to mitigate the risk?
Additional security practices
In addition to updating the plugin, consider implementing web application firewalls, monitoring for unusual access patterns, and regularly reviewing file permissions to enhance overall security.
Is there any additional information available on this vulnerability?
Resources for further reading
For more detailed information, refer to the official CVE database entry for CVE-2026-9690 and security advisories from WordPress security resources.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the plugin until a patch can be applied. Additionally, restrict access to the affected endpoints through server configuration.
Will future updates prevent similar vulnerabilities?
Long-term security considerations
While updates can address specific vulnerabilities, it is crucial to maintain a regular update schedule for all plugins and themes. Regular security audits and code reviews can also help identify potential issues before they become vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations