CVE-2023-4634

Exploit

EPSS 82.59%
Veröffentlicht 06.09.2023 09:15:08
Zuletzt bearbeitet 08.04.2026 17:17:03
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Media Library Assistant <= 3.09 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.

Mögliche Gegenmaßnahme

Media Library Assistant: Update to version 3.10, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Davidlingren ≫ Media Library Assistant SwPlatformwordpress Version < 3.10

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Media Library Assistant

Version *-3.09

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	82.59%	0.996

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://github.com/Patrowl/CVE-2023-4634/

Third Party Advisory

Exploit

https://packetstormsecurity.com/files/174508/wpmla309-lfiexec.tgz

Third Party Advisory

VDB Entry

https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/

Third Party Advisory

Exploit

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2955933%40media-library-assistant&new=2955933%40media-library-assistant&sfp_email=&sfph_mail=#file4

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf?source=cve

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-4634

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-4634

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-4634

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-4634