Media Library Assistant
Moderate fix1 remedy
cpe:2.3:a:media_library_assistant_project:media_library_assistant:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.33
Media Library Assistant Missing Authorization Vulnerability Allows Taxonomy Modification
Vulnerability
Patched
A vulnerability exists in the Media Library Assistant plugin for WordPress, affecting all versions through 3.33. The issue stems from a missing capability check in the 'mla_update_compat_fields_action()' function, which allows authenticated attackers with Subscriber-level access and above to unauthorizedly modify taxonomy terms on arbitrary attachments.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in attachment taxonomy terms, potentially disrupting content organization and management.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can use the 'mla_update_compat_fields_action' AJAX action to modify taxonomy terms on attachments. This can be done through the WordPress Media Manager, where the absence of proper authorization checks allows for these changes to be made without the necessary permissions.
Remediation
Users are advised to update the Media Library Assistant plugin to version 3.34 or later.
Added: Mar 5, 2026, 6:22 AM
Updated: Mar 5, 2026, 6:22 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
6.4remediation
7.7relevance
3.5threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.