cbcvebase.
CVE-2023-4634
published 2023-09-06

CVE-2023-4634: The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.58%
99.6th percentile
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.

Affected

2 ranges
VendorProductVersion rangeFixed in
davidlingrenmedia_library_assistant< 3.103.10
dglingrenmedia_library_assistant<= 3.09

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
url{{BaseURL}}/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://{{interactsh-url}}/patrowl.svg
path/wp-content/plugins/media-library-assistant/readme.txt
  • Monitor GET requests to mla-stream-image.php containing an `mla_stream_file` parameter with an FTP scheme (ftp://) — this is the primary exploitation vector for CVE-2023-4634.
  • Use Shodan/FOFA/PublicWWW queries to identify exposed WordPress instances running the vulnerable plugin before active exploitation.
  • Detect DNS/FTP callback interactions triggered by the mla_stream_file parameter pointing to an external host — indicative of SSRF/LFI probing.
  • Flag presence of `mla_debug=log` and `mla_stream_frame=1` query parameters alongside `mla_stream_file` as indicators of active exploitation attempts.
  • ·Exploitation success is dependent on the Imagick policy.xml configuration on the target server. Default WordPress/Imagick installations are most at risk.
  • ·The vulnerability is unauthenticated and exploitable via attacker-controlled FTP-hosted SVG files processed by Imagick; no WordPress credentials are required.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.