Impact
This vulnerability describes an improper neutralization of special elements used in an SQL command within the Media Library Assistant plugin, enabling blind SQL injection. An attacker can inject malicious SQL fragments that the plugin substitutes into database queries, potentially allowing the extraction or modification of data stored in the WordPress database. Depending on the database schema the attacker may read sensitive information, alter records, or create new administrative accounts.
Affected Systems
The flaw affects all installations of the Media Library Assistant plug‑in from the earliest version up through 3.35 inclusive. Any WordPress site that has migrated or retained these affected plugin versions is vulnerable.
Risk and Exploitability
The CVSS assessment of 8.5 classifies this as a high‑severity exploitation risk. Though an EPSS score is not provided, the lack of disclosure in the KEV catalog suggests limited known public exploits, yet the potential impact remains substantial. Access requires interaction with the plugin’s administrative interface, which typically mandates authenticated WordPress credentials, but once authenticated an attacker can craft the injection payload without additional privileges.
OpenCVE Enrichment