Skip to main content

Media Library Assistant

19 CVEs product

Monthly

CVE-2026-54198 HIGH This Week

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.

XSS Media Library Assistant
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-32399 HIGH This Week

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary SQL queries over the network, potentially leading to unauthorized data access and service disruption. The vulnerability requires valid user credentials but no user interaction, making it exploitable by internal or compromised accounts with minimal effort. No patch is currently available for affected installations.

SQLi Media Library Assistant
NVD VulDB
CVSS 3.1
8.5
EPSS
0.0%
CVE-2024-11974 MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Media Library Assistant
NVD
CVSS 3.1
6.1
EPSS
1.4%
CVE-2024-6823 HIGH PATCH This Week

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload Media Library Assistant
NVD
CVSS 3.1
8.8
EPSS
1.3%
CVE-2024-5544 MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Media Library Assistant
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2024-5605 HIGH This Week

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Media Library Assistant
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-3519 MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter in all versions up to, and including, 3.15 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS WordPress Media Library Assistant
NVD
CVSS 3.1
6.1
EPSS
2.0%
CVE-2024-3518 HIGH PATCH This Week

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.15 due to insufficient escaping on the user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Media Library Assistant
NVD
CVSS 3.1
8.8
EPSS
1.1%
CVE-2024-2871 MEDIUM This Month

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.13 due to insufficient escaping on the user. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress Media Library Assistant
NVD
CVSS 3.1
6.4
EPSS
0.3%
CVE-2024-2475 MEDIUM This Month

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Media Library Assistant
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2023-24385 MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Media Library Assistant
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-4716 MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shortcode in versions up to, and including, 3.10 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Media Library Assistant
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2023-4634 CRITICAL POC PATCH THREAT Act Now

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.1%.

RCE WordPress PHP Media Library Assistant
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
92.1%
Threat
6.2
CVE-2023-34010 MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Media Library Assistant
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2023-0279 HIGH This Week

The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Media Library Assistant
NVD WPScan
CVSS 3.1
7.2
EPSS
0.8%
CVE-2022-41618 MEDIUM This Month

Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress Media Library Assistant
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2020-11928 CRITICAL Act Now

In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta_query, or date_query parameter in mla_gallery via an admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Media Library Assistant
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2020-11732 HIGH POC This Week

The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Media Library Assistant
NVD
CVSS 3.1
7.5
EPSS
4.9%
CVE-2020-11731 MEDIUM This Month

The Media Library Assistant plugin before 2.82 for Wordpress suffers from multiple XSS vulnerabilities in all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Media Library Assistant
NVD
CVSS 3.1
6.1
EPSS
1.2%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.

XSS Media Library Assistant
NVD VulDB
EPSS 0% CVSS 8.5
HIGH This Week

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary SQL queries over the network, potentially leading to unauthorized data access and service disruption. The vulnerability requires valid user credentials but no user interaction, making it exploitable by internal or compromised accounts with minimal effort. No patch is currently available for affected installations.

SQLi Media Library Assistant
NVD VulDB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Media Library Assistant
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

RCE WordPress File Upload +1
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Media Library Assistant
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Media Library Assistant
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter in all versions up to, and including, 3.15 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS WordPress Media Library Assistant
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.15 due to insufficient escaping on the user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi WordPress Media Library Assistant
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.13 due to insufficient escaping on the user. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi WordPress Media Library Assistant
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Media Library Assistant
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Media Library Assistant
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shortcode in versions up to, and including, 3.10 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Media Library Assistant
NVD VulDB
EPSS 92% 6.2 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.1%.

RCE WordPress PHP +1
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Media Library Assistant
NVD
EPSS 1% CVSS 7.2
HIGH This Week

The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Media Library Assistant
NVD WPScan
EPSS 1% CVSS 5.3
MEDIUM This Month

Unauthenticated Error Log Disclosure vulnerability in Media Library Assistant plugin <= 3.00 on WordPress. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress Media Library Assistant
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta_query, or date_query parameter in mla_gallery via an admin. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Media Library Assistant
NVD
EPSS 5% CVSS 7.5
HIGH POC This Week

The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Media Library Assistant
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The Media Library Assistant plugin before 2.82 for Wordpress suffers from multiple XSS vulnerabilities in all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS WordPress Media Library Assistant
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy