CVE-2021-34668
📋 TL;DR
This vulnerability allows author-level users in WordPress to inject malicious JavaScript into folder names via the Real Media Library plugin. When other users view these folders, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. All WordPress sites using Real Media Library version 4.14.1 or earlier are affected.
💻 Affected Systems
- WordPress Real Media Library plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress site, install backdoors, or redirect users to malicious sites.
Likely Case
Author-level attackers deface the site, steal user data, or perform limited administrative actions through session hijacking.
If Mitigated
With proper user role management and content security policies, impact is limited to visual defacement within the media library interface.
🎯 Exploit Status
Exploitation requires author-level access. Attack vectors are well-documented in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.14.2
Vendor Advisory: https://wordpress.org/plugins/real-media-library-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Real Media Library. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.14.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily deactivate Real Media Library plugin until patched
wp plugin deactivate real-media-library
Restrict user roles
linuxRemove author-level permissions from untrusted users
wp user list --role=author --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Regularly audit user accounts and remove unnecessary author-level permissions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Real Media Library → Version. If version ≤4.14.1, vulnerable.Check Version:
wp plugin get real-media-library --field=versionVerify Fix Applied:
Confirm plugin version is 4.14.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual folder name creation/modification in WordPress logs
- JavaScript payloads in media library folder names
Network Indicators:
- Unexpected outbound connections from WordPress admin pages
- Suspicious JavaScript loading in /wp-content/uploads/ folders
SIEM Query:
source="wordpress.log" AND ("real-media-library" OR "folder.php") AND ("script" OR "javascript" OR "onload" OR "onerror")