WordPress Plugin Vulnerabilities

Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion

Description

The Media Library Assistant plugin before 2.82 for WordPress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.

Proof of Concept

Affects Plugins

Plugin icon
media-library-assistant
Fixed in 2.82

References

CVE
CVE-2020-11732
Exploitdb
48315
URL
https://packetstormsecurity.com/files/#157200/
URL
https://plugins.trac.wordpress.org/changeset/2273526/media-library-assistant

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Verified
Yes
WPVDB ID
80d60584-fa03-407e-a7bd-32d507a1046d

Timeline

Publicly Published
2020-04-13 (about 5 years ago)
Added
2020-04-13 (about 5 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2016-07-13
Title
WP Fastest Cache <= 0.8.5.9 - Local File Inclusion (LFI)
Published
2025-07-02
Title
JKDEVKIT <= 1.9.4 - Authenticated (Subscriber+) Arbitrary File Deletion
Published
2025-04-03
Title
Countdown, Coming Soon, Maintenance – Countdown & Clock < 2.9.0 - Unauthenticated Limited Local File Inclusion
Published
2024-07-19
Title
Mercado Pago payments for WooCommerce 7.3.0 - 7.6.1 - Authenticated (Subscriber+) Arbitrary File Download
Published
2025-06-09
Title
Aeroscroll Gallery <= 1.0.13 - Unauthenticated Directory Traversal