Create by Mediavine plugin critical vulnerability

The vulnerability has been patched.
Create version 1.9.5 is back on the

If you have installed the Create by Mediavine plugin ( link), it may be a good idea to remove it.
Mediavine official Create plugin page link.

Create by Mediavine plugin critical vulnerability

There is a critical vulneratility. According to WordFence:

The Create by Mediavine plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.9.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Yes, there are vulnerabilities that require a specific scenario which is not easy to reach in practice. However, in this case, the vulnerability is easy to exploit.

I've been using Mediavine as a publisher for about two years now. It is possible to implement Mediavine (and Grow) without any plugins:
My Mediavine and Grow setup guide

As far as I know, Mediavine have submitted an update for their plugin, with the vulnerability patched, and they are waiting for a review and approval from the WordPress' plugin team.

If you run one of those "recipe websites" and really want to design pages using a plugin, it might be a good idea to try the WP Recipe Maker (WPRM) plugin ( link).

WPRM supports import from Create by Mediavine, so you most probably won't need to re-write all your recipe posts from scratch.

Last edited:


Top Bottom