CVE-2014-2040

Name of the Vulnerable Software and Affected Versions Media File Renamer plugin version 1.7.0

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Media File Renamer plugin for WordPress. These vulnerabilities are found in the callback multicheck, callback radio, and callback wysiwygin functions within the mfrh class.settings-api.php file. They allow remote authenticated users with permissions to add or edit media to inject arbitrary web script or HTML via unspecified parameters. For example, this could be achieved by manipulating the title of an uploaded file.

Recommendations For Media File Renamer plugin version 1.7.0, consider disabling the callback multicheck, callback radio, and callback wysiwygin functions until a patch is available to prevent exploitation. Restrict access to the mfrh class.settings-api.php file to minimize the risk of arbitrary web script or HTML injection. Avoid using unspecified parameters in the affected functions to mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.