External Media without Import Plugin external-media-without-import.php print_media_new_panel cross site scripting
Description
WordPress External Media without Import plugin ≤1.0.0 has reflected XSS via unsanitized URL parameters in the media panel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress External Media without Import plugin ≤1.0.0 has reflected XSS via unsanitized URL parameters in the media panel.
Vulnerability
The External Media without Import plugin for WordPress versions up to 1.0.0 contains a reflected cross-site scripting (XSS) vulnerability in the print_media_new_panel function within external-media-without-import.php. The function outputs user-supplied values from the url, error, width, height, and mime-type query parameters without proper escaping, using urldecode() directly in HTML attributes and text [1]. This allows an attacker to inject arbitrary JavaScript.
Exploitation
An attacker can craft a malicious URL containing JavaScript payloads in any of the vulnerable parameters and trick a logged-in WordPress administrator or editor into visiting it. No authentication is required to trigger the XSS; the victim only needs to have the plugin active and visit the crafted link. The injected script executes in the context of the WordPress admin panel when the media upload page is loaded.
Impact
Successful exploitation leads to reflected XSS, enabling the attacker to execute arbitrary JavaScript in the victim's browser. This can result in session hijacking, defacement, or theft of sensitive information such as authentication cookies. The attack is remote and does not require any special privileges beyond the victim having the plugin installed.
Mitigation
The vulnerability is fixed in version 1.0.1, released on the same commit [2]. The patch replaces urldecode() with esc_url() and esc_html() for the respective parameters [1]. Users should upgrade to version 1.0.1 or later. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The function print_media_new_panel improperly handles user-supplied URL parameters, leading to cross-site scripting."
Attack vector
An attacker can exploit this vulnerability by manipulating the 'url', 'error', 'width', 'height', or 'mime-type' GET parameters. These parameters are directly embedded into the HTML output without proper sanitization. This allows an attacker to inject malicious scripts that will be executed in the victim's browser when they visit a crafted URL. The attack can be initiated remotely.
Affected code
The vulnerability resides in the `print_media_new_panel` function located in the `external-media-without-import.php` file. The patch modifies lines where GET parameters are echoed into the HTML, specifically for 'url', 'error', 'width', 'height', and 'mime-type' [ref_id=1].
What the fix does
The patch addresses the cross-site scripting vulnerability by applying output sanitization to user-controlled input. Specifically, the `urldecode()` function calls for the `url`, `error`, `width`, `height`, and `mime-type` GET parameters have been replaced with `esc_url()` for the URL parameter and `esc_html()` for the other parameters. This ensures that any potentially malicious characters within these parameters are properly escaped before being rendered in the HTML, preventing script execution [ref_id=1].
Preconditions
- inputThe 'url', 'error', 'width', 'height', or 'mime-type' GET parameters must be present and contain malicious script payloads.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/zzxiang/external-media-without-import/commit/9d2ecd159a6e2e3f710b4f1c28e2714f66502746mitrepatch
- github.com/zzxiang/external-media-without-import/releases/tag/v1.0.1mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.