CVE-2023-50897

Critical

Published: 05 January 2026

Published

05 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0037 58.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses CVE-2023-50897 by identifying, prioritizing, and remediating the unrestricted file upload flaw in the Media File Renamer plugin.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by enforcing validation of uploaded files to reject dangerous types and malicious content specific to this vulnerability.

SI-3 Malicious Code Protection good match

preventdetect

Mitigates impact of malicious files uploaded via the plugin by scanning at entry points and eradicating detected code before execution.

Security SummaryAI

CVE-2023-50897 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Media File Renamer WordPress plugin developed by Meow Apps. This issue affects all versions of the plugin from n/a through 5.7.7. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting its network accessibility (AV:N), low attack complexity (AC:L), requirement for high privileges (PR:H), lack of user interaction (UI:N), and high impacts on confidentiality, integrity, and availability with a changed scope (S:C/C:H/I:H/A:H).

Exploitation requires an authenticated attacker with high-level privileges, such as an administrator, to abuse the plugin's functionality. By leveraging the unrestricted upload mechanism, the attacker can use malicious files, potentially leading to severe compromise including remote code execution, as indicated by related advisories.

The Patchstack vulnerability database provides detailed analysis and recommendations for mitigation, available at https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve. Security practitioners should review this advisory for patching instructions and workarounds specific to affected WordPress environments.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unrestricted file upload with dangerous types in a public-facing WordPress plugin, combined with arbitrary file rename leading to RCE, directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve
audit@patchstack.com