[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAuWebbTN96aFjdrEAKOubFq0ezVtl9haMv2lBHD5DYc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-34897","media-library-assistant-authenticated-contributor-stored-cross-site-scripting","Media Library Assistant \u003C= 3.34 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","media-library-assistant",null,"\u003C=3.34","3.35","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-06 00:00:00","2026-04-13 21:12:50",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2ef402a9-b194-444c-9af4-5f79ab573beb?source=api-prod",8,[22,23,24,25,26,27,28,29],"css\u002Fmla-media-modal-style-rtl.css","css\u002Fmla-media-modal-style.css","includes\u002Fclass-mla-core.php","includes\u002Fclass-mla-data.php","includes\u002Fclass-mla-media-modal.php","includes\u002Fclass-mla-settings-custom-fields-tab.php","includes\u002Fclass-mla-settings-iptc-exif-tab.php","includes\u002Fclass-mla-shortcode-archive-list.php","researched",false,3,"mode=list`.\n\n    *Which is more likely?*\n    The description says \"Stored XSS in pages\". In WordPress, \"pages\" usually means frontend.\n    So Shortcode is the winner.\n\n    - Target: `[mla_gallery]`.\n    - Attribute: `mla_markup`.\n    - Payload: `inline:\u003Cscript>alert('CVE-2026-34897')\u003C\u002Fscript>`.\n\n    *Wait!* Does `[mla_gallery]` require an attachment to render?\n    Usually, yes. So we should ensure at least one attachment exists.\n    `wp media import \u002Fpath\u002Fto\u002Fimage.jpg`\n\n    1.  Create a Contributor.\n    2.  Upload an image (to ensure the shortcode has something to process).\n    3.  Create a post with `[mla_gallery post_mime_type=all mla_markup=\"inline:\u003Cscript>alert(document.domain)\u003C\u002Fscript>\"]`.\n    4.  Navigate to the post as Admin.\n    5.  Check for alert.\n\n    `MLACore::mla_get_option( MLACoreOptions::MLA_MEDIA_MODAL_TOOLBAR )`\n    If we wanted to exploit the Media Modal specifically. But shortcodes are easier to automate.\n\n    *Final check on Nonce Acquisition:*\n    Even if not strictly needed for the Shortcode, I will provide the steps to get `mla_admin_nonce` because the prompt asks for it.\n","The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [mla_gallery] shortcode. This occurs because the 'mla_markup' attribute, specifically when using the 'inline:' prefix, does not sufficiently sanitize or escape user-provided HTML, allowing authenticated attackers with Contributor-level access and above to inject arbitrary scripts into pages.","\u002F\u002F includes\u002Fclass-mla-data.php (Approx. line 150 in 3.34)\npublic static function mla_parse_template( $tpl, $markup_values ) {\n\t\u002F\u002F If templates are present we must step through $tpl and expand them\n\tif ( isset( $markup_values['[+template_count+]'] ) ) {\n\t\t$offset = 0;\n\t\twhile ( false !== $start = strpos( $tpl, '[+', $offset ) ) {\n\t\t\tif ( $template_content = self::_find_template_substring( substr( $tpl, $start ) ) ) {\n\t\t\t\t$template_length = strlen( $template_content );\n\t\t\t\t$template_content = substr( $template_content, 11, $template_length - (11 + 2) );\n\t\t\t\t$template_content = self::_expand_field_level_template( $template_content, $markup_values );\n\n\t\t\t\t$tpl = substr_replace( $tpl, $template_content, $start, $template_length );\n\t\t\t\t$offset = $start + strlen( $template_content );\n\t\t\t} else { \u002F\u002F found template\n\t\t\t\t$offset = $start + 2;\n\t\t\t}\n\t\t} \u002F\u002F while substitution parameter present\n\t} \u002F\u002F templates are present","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-core.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.35\u002Fincludes\u002Fclass-mla-core.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-core.php\t2026-03-07 00:56:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.35\u002Fincludes\u002Fclass-mla-core.php\t2026-03-30 00:02:10.000000000 +0000\n@@ -21,7 +21,7 @@\n \t *\n \t * @var\tstring\n \t *\u002F\n-\tconst CURRENT_MLA_VERSION = '3.34';\n+\tconst CURRENT_MLA_VERSION = '3.35';\n \n \t\u002F**\n \t * Current date for Development Versions, empty for production versions\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-data.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.35\u002Fincludes\u002Fclass-mla-data.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-data.php\t2026-03-07 00:56:28.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.35\u002Fincludes\u002Fclass-mla-data.php\t2026-03-19 22:37:14.000000000 +0000\n@@ -4278,6 +4288,22 @@\n \n \t\t$id3_metadata = self::mla_fetch_attachment_id3_metadata( $post_id );\n \t\tif ( ! empty( $id3_metadata ) && !isset( $id3_metadata['error'] ) ) {\n+\t\t\t\u002F\u002F Replace image blobs with a text message\n+\t\t\tif ( isset( $id3_metadata['comments']['picture'] ) && is_array( $id3_metadata['comments']['picture'] ) ) {\n+\t\t\t\tforeach ( $id3_metadata['comments']['picture'] as $key => $picture ) {\n+\t\t\t\t\tif ( isset( $picture['data'] ) ) {\n+\t\t\t\t\t\t$image_size = strlen( $picture['data'] );\n+\t\t\t\t\t\t$id3_metadata['comments']['picture'][ $key ]['data'] = '( ' . $image_size . ' ' . __( 'bytes of BINARY DATA', 'media-library-assistant' ) . ' )';\n+\t\t\t\t\t}\n+\t\t\t\t}\n+\n+\t\t\t}\n+\n+\t\t\tif ( isset( $id3_metadata['image']['data'] ) ) {\n+\t\t\t\t$image_size = strlen( $id3_metadata['image']['data'] );\n+\t\t\t\t$id3_metadata['image']['data'] = '( ' . $image_size . ' ' . __( 'bytes of BINARY DATA', 'media-library-assistant' ) . ' )';\n+\t\t\t}\n+\n \t\t\t$text .= self::_compose_metadata_array( $id3_metadata, 'id3', ':' );\n \t\t}\n \n... (truncated)","1. Login to the WordPress dashboard with a Contributor-level account or higher.\n2. Create a new post or edit an existing one.\n3. Add a shortcode block containing the [mla_gallery] shortcode.\n4. Within the shortcode, add the 'mla_markup' attribute using the 'inline:' prefix to define a custom HTML template containing a script tag. Payload example: [mla_gallery post_mime_type=all mla_markup=\"inline:\u003Cscript>alert(document.cookie)\u003C\u002Fscript>\"].\n5. Save or publish the post.\n6. Navigate to the post's public URL (or preview it as an Administrator). The script provided in the 'mla_markup' attribute will execute in the browser context of the viewer.","gemini-3-flash-preview","2026-04-17 21:22:17","2026-04-17 21:23:12",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.34","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.34","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.34.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.35","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.35.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags"]