A Remote Code Execution (RCE) vulnerability has been identified in the WordPress Media Library Assistant Plugin. This vulnerability could allow an attacker to execute arbitrary code on the affected website, potentially taking full control of the website.

This vulnerability was discovered and responsibly reported by Pepitoh.

The vulnerability is an RCE vulnerability that occurs in the ml-assistant.php file. The vulnerability allows an attacker to execute arbitrary code on the affected website by uploading a specially crafted file.

Severity:

The vulnerability has a CVSS 3.1 score of 10.0, which is considered to be critical. This means that the vulnerability is highly exploitable and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Media Library Assistant Plugin prior to 3.10.

Impact:

An attacker who successfully exploits this vulnerability could:

  • Execute arbitrary code on the affected website.
  • Gain full control of the website.

Recommendation:

Users can take the following steps to reduce the risk of exploitation:

  • Immediate Update: Users of the Media Library Assistant Plugin are strongly advised to update to the latest available version (at least 3.10). This vulnerability has been fixed in version 3.10.
  • Regular Security Audits: Proactively conduct thorough security audits on the WordPress website at regular intervals.
  • Stay Informed: Stay informed about official updates or advisories pertaining to the Media Library Assistant Plugin.

Conclusion:

This vulnerability is a serious threat to the security of WordPress websites that use the Media Library Assistant Plugin. Users are strongly advised to update to the latest available version as soon as possible.