Skip to main content

Media Library Assistant CVE-2024-5544

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-07-02 security@wordfence.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 19:39 nvd
Patch available
CVE Published
Jul 02, 2024 - 08:15 nvd
MEDIUM 6.1

DescriptionCVE.org

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AnalysisAI

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Affected products include: Davidlingren Media Library Assistant.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-4634 CRITICAL POC
9.8 Sep 06

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in vers

CVE-2020-11732 HIGH POC
7.5 Apr 13

The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_ga

CVE-2020-11928 CRITICAL
9.8 Apr 20

In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta

CVE-2024-3518 HIGH
8.8 May 22

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver

CVE-2024-5605 HIGH
8.8 Jun 20

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter wit

CVE-2024-6823 HIGH
8.8 Aug 13

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type valida

CVE-2026-32399 HIGH
8.5 Mar 13

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary

CVE-2023-0279 HIGH
7.2 Feb 27

The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using

CVE-2026-54198 HIGH
7.1 Jun 16

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allow

CVE-2024-3519 MEDIUM
6.1 May 22

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter

CVE-2024-2871 MEDIUM
6.4 Apr 09

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver

CVE-2024-2475 MEDIUM
6.4 Mar 29

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode

Share

CVE-2024-5544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy