SQL Injection Vulnerability in Media Library Assistant Plugin for WordPress
CVE-2024-2871

6.4MEDIUM

Key Information:

Vendor
Wordpress
Status
Media Library Assistant
Vendor
CVE Published:
9 April 2024

Summary

The Media Library Assistant plugin allows authenticated users with contributor access or higher to exploit an SQL Injection vulnerability. An attacker can manipulate the input through the plugin's shortcode and inject additional SQL queries into existing ones. This insufficient input validation and escaping can lead to unauthorized access and extraction of sensitive information from the WordPress database, posing a significant security risk to users. It is crucial to update the plugin to version 3.14 or later to mitigate this vulnerability.

Affected Version(s)

Media Library Assistant * <= 3.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/media-library-...
https://plugins.trac.wordpress.org/browser/media-library-...

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Matthew Rollings
.