CVE-2021-36850: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in WordPress Media File Renamer – Auto & Manual Rename plugin versions 5.1.9 and earlier. The vulnerability was identified on July 19, 2021, and affected parameters include 'post_title', 'filename', and 'lock'. This security issue allows attackers to modify uploaded media titles, filenames, and media locking states (NVD, Patchstack).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue with a CVSS v3.1 Base Score of 5.4 (Medium) according to Patchstack, while NVD rates it at 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. The vulnerability is tracked as CWE-352 and affects the plugin's handling of media file parameters (NVD).

When exploited, this vulnerability allows attackers to force authenticated users to perform unwanted actions, specifically changing uploaded media titles, modifying filenames, and altering media locking states without proper authorization (WPScan).

The vulnerability was patched in version 5.2.0 of the WordPress Media File Renamer plugin. Users are advised to update to version 5.2.0 or later to resolve the security issue (WordPress).