WordPress Plugin Vulnerabilities

Media Library Assistant < 2.82 - Authenticated RCE

Description

Remote Code Execution can occur via the tax_query, meta_query, and date_query parameter of the [mla_gallery] shortcode.

Affects Plugins

Plugin icon
media-library-assistant
Fixed in 2.82

References

CVE
CVE-2020-11928

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.1 (critical)

Miscellaneous

Verified
No
WPVDB ID
33347b8a-e949-453f-a485-6aa5b3547727

Timeline

Publicly Published
2020-04-19 (about 4 years ago)
Added
2020-04-20 (about 4 years ago)
Last Updated
2020-04-21 (about 4 years ago)

Other

Published
Title
Published
2021-07-05
Title
Speed Booster Pack 4.2.0-beta - Authenticated (admin+) RCE
Published
2024-04-05
Title
Advanced Order Export For WooCommerce < 3.4.5 - Shop Manager+ Remote Code Execution
Published
2023-12-11
Title
Backup Migration < 1.3.8 - Unauthenticated RCE
Published
2022-10-14
Title
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
Published
2021-12-05
Title
WP Coder < 2.5.2 - RFI leading to RCE via CSRF