Cyber Resilience

CVE-2023-50897

Critical

Published: 05 January 2026

Published
05 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0028 19.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2023-50897 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Patchstack (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-50897 is an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434) in the Media File Renamer WordPress plugin developed by Meow Apps. This issue affects all versions of the plugin from n/a through 5.7.7. The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), reflecting its network accessibility (AV:N), low attack complexity (AC:L), requirement for high privileges (PR:H), lack of user interaction (UI:N), and high impacts on confidentiality, integrity, and availability with a changed scope (S:C/C:H/I:H/A:H).

Exploitation requires an authenticated attacker with high-level privileges, such as an administrator, to abuse the plugin's functionality. By leveraging the unrestricted upload mechanism, the attacker can use malicious files, potentially leading to severe compromise including remote code execution, as indicated by related advisories.

The Patchstack vulnerability database provides detailed analysis and recommendations for mitigation, available at https://vdp.patchstack.com/database/wordpress/plugin/media-file-renamer/vulnerability/wordpress-media-file-renamer-plugin-5-7-7-arbitrary-file-rename-lead-to-rce-vulnerability?_s_id=cve. Security practitioners should review this advisory for patching instructions and workarounds specific to affected WordPress environments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unrestricted file upload with dangerous types in a public-facing WordPress plugin, combined with arbitrary file rename leading to RCE, directly enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12352Shared CWE-434
CVE-2026-1730Shared CWE-434
CVE-2025-13067Shared CWE-434
CVE-2025-54449Shared CWE-434
CVE-2025-1070Shared CWE-434
CVE-2025-12528Shared CWE-434
CVE-2025-67325Shared CWE-434
CVE-2025-65471Shared CWE-434
CVE-2025-59710Shared CWE-434
CVE-2025-34328Shared CWE-434

Affected Assets

Patchstack
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CVE-2023-50897 by identifying, prioritizing, and remediating the unrestricted file upload flaw in the Media File Renamer plugin.

prevent

Prevents exploitation by enforcing validation of uploaded files to reject dangerous types and malicious content specific to this vulnerability.

preventdetect

Mitigates impact of malicious files uploaded via the plugin by scanning at entry points and eradicating detected code before execution.

References