Reflected Cross-Site Scripting Vulnerability in Media Library Assistant Plugin for WordPress
CVE-2024-11974

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Media Library Assistant
Vendor: CVE Published:; 4 January 2025

What is CVE-2024-11974?

The Media Library Assistant plugin used in WordPress has a vulnerability due to inadequate input validation and output sanitization in the 'smc_settings_tab', 'unattachfixit-action', and 'woofixit-action' parameters. This flaw allows unauthenticated adversaries to exploit the vulnerability by crafting malicious web scripts. Upon tricking a victim into clicking a specially crafted link, these scripts could execute within the context of the affected WordPress site, thereby compromising the integrity of the website and potentially leading to data exposure or further attacks.

Affected Version(s)

Media Library Assistant * <= 3.23

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/media-library-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 4, 2025
Vulnerability Reserved
Nov 28, 2024

Credit

Dale Mavers