Media Library Assistant < 3.28 – Authenticated (Author+) Limited File Deletion | CVE 2025-8357 | Plugin Vulnerabilities

Description

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file deletion in the /wp-content/uploads directory due to insufficient file path validation and user capability checking in the _process_mla_download_file function in all versions up to, and including, 3.27. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server from the /wp-content/uploads/ directory.

Affects Plugins

media-library-assistant

Fixed in 3.28

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8726375f-de67-4c92-9cf8-1bfb7330f327

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

1a1e0c50-cefa-4a0e-b22c-3e0f6d26db7d

Timeline

Publicly Published

2025-08-18 (about 10 months ago)

Added

2025-08-18 (about 10 months ago)

Last Updated

2025-08-19 (about 10 months ago)

Other

Published

Title

Published

2026-01-05

Title

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress < 7.6.2 - Missing Authorization to Authenticated (Subscriber+) Information Exposure

Published

2025-01-16

Title

Realty Workstation <= 1.0.45 - Missing Authorization

Published

2025-12-04

Title

Projectopia – WordPress Project Management < 5.1.20 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion

Published

2026-05-26

Title

Event Booking Manager for WooCommerce < 5.3.4 - Missing Authorization

Published

2024-06-12

Title

Himer - Social Questions and Answers < 2.1.1 - Subscriber+ Private Group Joining via IDOR