Critical severity9.8NVD Advisory· Published Sep 6, 2023· Updated Apr 8, 2026

CVE-2023-4634

Description

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.

Affected products

Davidlingren/Media Library Assistant
cpe:2.3:a:davidlingren:media_library_assistant:*:*:*:*:*:wordpress:*:*
Range: <3.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvdPatch
patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/nvdExploitThird Party Advisory
packetstormsecurity.com/files/174508/wpmla309-lfiexec.tgznvdThird Party AdvisoryVDB Entry
www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbfnvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.074
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000