Stored Cross-Site Scripting Vulnerability in Media Library Assistant Plugin for WordPress
CVE-2023-4716
6.4MEDIUM
Key Information:
- Vendor
- Dglingren
- Status
- Media Library Assistant
- Vendor
- CVE Published:
- 22 September 2023
Summary
The Media Library Assistant plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability via the 'mla_gallery' shortcode, which allows authenticated users with contributor-level permissions or higher to inject malicious scripts. This is caused by inadequate input sanitization and output escaping for user-supplied attributes. When a user accesses a page with such an injection, arbitrary web scripts can execute, potentially compromising user data and site integrity.
Affected Version(s)
Media Library Assistant * <= 3.10
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lana Codes