Skip to main content

Media Library Assistant CVE-2024-6823

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2024-08-13 security@wordfence.com
8.8
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (wordfence) · only source for this CVE.

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 13, 2024 - 06:15 cve.org
HIGH 8.8

DescriptionCVE.org

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

AnalysisAI

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Affected products include: Davidlingren Media Library Assistant.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2023-4634 CRITICAL POC
9.8 Sep 06

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in vers

CVE-2020-11732 HIGH POC
7.5 Apr 13

The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_ga

CVE-2020-11928 CRITICAL
9.8 Apr 20

In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta

CVE-2024-3518 HIGH
8.8 May 22

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver

CVE-2024-5605 HIGH
8.8 Jun 20

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter wit

CVE-2026-32399 HIGH
8.5 Mar 13

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary

CVE-2023-0279 HIGH
7.2 Feb 27

The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using

CVE-2026-54198 HIGH
7.1 Jun 16

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allow

CVE-2024-3519 MEDIUM
6.1 May 22

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter

CVE-2024-2871 MEDIUM
6.4 Apr 09

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver

CVE-2024-2475 MEDIUM
6.4 Mar 29

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode

CVE-2023-4716 MEDIUM
6.4 Sep 22

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shor

Share

CVE-2024-6823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy