Stored Cross-Site Scripting Vulnerability in Media Library Assistant Plugin for WordPress
CVE-2023-4716

6.4MEDIUM

Key Information:

Vendor
Dglingren
Status
Media Library Assistant
Vendor
CVE Published:
22 September 2023

Summary

The Media Library Assistant plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability via the 'mla_gallery' shortcode, which allows authenticated users with contributor-level permissions or higher to inject malicious scripts. This is caused by inadequate input sanitization and output escaping for user-supplied attributes. When a user accesses a page with such an injection, arbitrary web scripts can execute, potentially compromising user data and site integrity.

Affected Version(s)

Media Library Assistant * <= 3.10

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lana Codes
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.