CVE-2025-52786
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kingdom Creation Media Folder media-folder allows Reflected XSS.This issue affects Media Folder: from n/a through <= 1.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WordPress Media Folder plugin <=1.0.0 allows script injection via crafted requests, requiring user interaction.
The vulnerability is a reflected cross-site scripting (XSS) in the WordPress Media Folder plugin, versions <=1.0.0. The plugin fails to properly sanitize input before including it in output, enabling arbitrary script injection [1].
An attacker can craft a malicious URL or form that, when visited by an authenticated administrator or other privileged user, executes JavaScript in the victim's session. User interaction is required, as the victim must click the link or visit the crafted page [1].
Successful exploitation could allow an attacker to perform actions on behalf of the victim, such as creating rogue admin accounts, installing backdoors, or redirecting visitors to malicious sites. The vulnerability has been flagged as likely to be used in mass-exploit campaigns [1].
As of the initial disclosure, no official patch is available. However, Patchstack has issued a virtual patch rule for its customers. Users are advised to update the plugin to a patched version when available or implement the virtual patch [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.