The vulnerability is identified as an Improper Neutralization of Special Elements used in an SQL Command, commonly referred to as SQL injection. The plugin’s code does not sanitize user input before embedding it into SQL statements, allowing an attacker to execute arbitrary queries. Because the flaw is a blind SQL injection, the attacker can infer data by observing response timing or error messages, potentially extracting sensitive information or modifying database contents, thereby compromising confidentiality and integrity of the WordPress site.

WordPress sites that have the Media Library Assistant plugin installed in any version up to and including 3.32 are affected. The vulnerability range is listed as from the initial release (unknown) through 3.32, with no later versions specified as safe.

The CVSS score of 8.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is via HTTP requests that interact with the plugin’s backend code; the vulnerable input can be supplied by both unauthenticated and authenticated users through the WordPress admin interface. Because the injection is blind, an attacker does not need to see error messages; observing timing differences is sufficient. No official patch or workaround is supplied in the CVE data, so the risk remains until a vendor fix is released or the plugin is removed.