CVE-2024-5605

Name of the Vulnerable Software and Affected Versions Media Library Assistant plugin for WordPress versions up to, and including, 3.16

Description The issue allows authenticated attackers with contributor-level access and above to perform time-based SQL Injection via the order parameter within the "mla tag cloud" Shortcode. This is due to insufficient escaping on the user-supplied order parameter and lack of sufficient preparation on the existing SQL query, making it possible to extract sensitive information from the database.

Recommendations For versions up to, and including, 3.16, consider disabling the mla tag cloud Shortcode until a patch is available to prevent exploitation. Restrict access to the order parameter within the mla tag cloud Shortcode to minimize the risk of SQL Injection attacks. Avoid using the order parameter in the affected Shortcode until the issue is resolved.