CVE-2024-6823: CWE-434 Unrestricted Upload of File with Dangerous Type in dglingren Media Library Assistant
The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-6823: CWE-434 Unrestricted Upload of File with Dangerous Type in dglingren Media Library Assistant
Description
The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-16T21:41:35.031Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c0cb7ef31ef0b55f5df
Added to database: 2/25/2026, 9:39:24 PM
Last updated: 2/25/2026, 9:41:45 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-3714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in webdevmattcrom GiveWP – Donation Plugin and Fundraising Platform
MediumCVE-2024-3711: CWE-862 Missing Authorization in themefusecom Brizy – Page Builder
MediumCVE-2024-3682: CWE-200 Information Exposure in renehermi WP STAGING WordPress Backup Plugin – Migration Backup Restore
MediumCVE-2024-3681: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cmoreira Interactive World Maps
MediumCVE-2024-3680: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themelooks Enter Addons – Ultimate Template Builder for Elementor
MediumActions
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.