CVE-2026-9690: WordPress WP Media folder Addon plugin <= 4.0.1 - Arbitrary File Download vulnerability
Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file download vulnerability affects the WP Media folder Addon plugin for WordPress at versions 4.0.1 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable by any remote attacker. Successful exploitation allows the attacker to download arbitrary files from the server, exposing sensitive data such as configuration files, credentials, and application secrets. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.
HarborGuard Coverage
Detection of CVE-2026-9690 is available across every HarborGuard environment. Images containing the affected WP Media folder Addon package are matched against ingested vulnerability feeds within minutes of publication, including custom-built WordPress images that bundle this plugin.
AvailableTriage is available using the CVSS v3.1 score of 7.5 (HIGH), weighted against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured alert rules.
AvailableNo upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Joomunited ships a remediated version. In the interim, compensating controls such as network-policy isolation and web application firewall rules blocking the vulnerable endpoint are surfaced as guidance within the platform.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or session token of any kind is needed; the vulnerable request can be issued by any unauthenticated party.
- Victim interactionNot required
The attacker sends a direct request to the server and receives the file in response; no user action is involved.
- Attack complexityDetail
Exploitation is straightforward and condition-free, requiring no race conditions, specific memory layout, or environmental prerequisites.
Blast Radius
- Reads arbitrary files from the WordPress server filesystem, including wp-config.php, which contains database credentials and authentication keys.
- Exposes application secrets, API keys, or private certificates stored anywhere the web server process has read access.
- Allows an attacker to map the server environment by downloading configuration and log files, supporting further targeted attacks.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-9690, the platform monitors the Patchstack advisory feed on every ingest cycle and will trigger a patched-image rebuild automatically once Joomunited publishes a remediated version. For customers who opt into auto-remediation, that rebuild will include a regression test run and a PR opened against affected workloads with no manual steps required. In the meantime, HarborGuard surfaces compensating-control guidance for affected environments, including network-policy rules that restrict external access to the plugin's file-serving endpoint, web application firewall signatures targeting the unauthenticated download path, and feature-flag or plugin-disable options where the WordPress configuration permits it. Where compliance policy mandates immediate action on HIGH-severity findings, the platform routes an alert to the designated team inbox so operators can apply manual mitigations without waiting for an automated rebuild.
- Joomunited / WP Media folder Addon≤ 4.0.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N