SQL Injection Vulnerability in Media Library Assistant Plugin for WordPress
CVE-2024-2871

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Media Library Assistant
Vendor: CVE Published:; 9 April 2024

What is CVE-2024-2871?

The Media Library Assistant plugin allows authenticated users with contributor access or higher to exploit an SQL Injection vulnerability. An attacker can manipulate the input through the plugin's shortcode and inject additional SQL queries into existing ones. This insufficient input validation and escaping can lead to unauthorized access and extraction of sensitive information from the WordPress database, posing a significant security risk to users. It is crucial to update the plugin to version 3.14 or later to mitigate this vulnerability.

Affected Version(s)

Media Library Assistant * <= 3.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/media-library-...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2024
Vulnerability Reserved
Mar 25, 2024

Credit

Matthew Rollings