cbcvebase.
CVE-2020-11732
published 2020-04-13

CVE-2020-11732: The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.92%
91.0th percentile
The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.

Affected

1 ranges
VendorProductVersion rangeFixed in
davidlingrenmedia_library_assistant< 2.822.82

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php
url/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=/var/www/html/wordpress/wp-content/index.php
url/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=/var/www/html/wp-content/index.php
  • Look for unauthenticated GET requests to mla-file-downloader.php with both 'mla_download_type' and 'mla_download_file' query parameters present — this is the exploit vector requiring no authentication.
  • Alert on HTTP 200 responses to mla-file-downloader.php where the response body contains '// Silence is golden.' — the Nuclei template uses this as a confirmation matcher for successful LFI.
  • The mla_download_file parameter accepts absolute file paths (including Windows-style paths such as C:\...\options.php), enabling traversal to arbitrary local files. Monitor for path separators and sensitive filenames in this parameter.
  • Use FOFA/Shodan/PublicWWW fingerprint queries to identify exposed WordPress instances running the vulnerable plugin before hunting for active exploitation.
  • ·The LFI is triggered via the 'mla_gallery link=download' parameter path as well as directly via mla-file-downloader.php; both attack surfaces should be covered in detection rules.
  • ·The exploit is confirmed unauthenticated, meaning no session cookie or privilege level is required — perimeter/WAF rules should not restrict detection to authenticated sessions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.