CVE-2023-4634 – The Media Library Assistant WordPress plugin ha... (How to Fix)

Q: What is the severity of CVE-2023-4634?

CVE-2023-4634 has a CVSS score of 9.8 (CRITICAL). The Media Library Assistant WordPress plugin has a critical vulnerability allowing unauthenticated attackers to perform Local File Inclusion and Remote Code Execution. Attackers can exploit insufficient path controls in the 'mla_stream_file' parameter to read sensitive files, list directories, and execute arbitrary code. All WordPress sites using vulnerable plugin versions are affected.

📋 TL;DR

The Media Library Assistant WordPress plugin has a critical vulnerability allowing unauthenticated attackers to perform Local File Inclusion and Remote Code Execution. Attackers can exploit insufficient path controls in the 'mla_stream_file' parameter to read sensitive files, list directories, and execute arbitrary code. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

WordPress Media Library Assistant plugin

Versions: All versions up to and including 3.09

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Imagick PHP extension to be installed and enabled for full RCE exploitation.

📦 What is this software?

Media Library Assistant by Davidlingren

View all CVEs affecting Media Library Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, and pivot to other systems.

🟠

Likely Case

Attackers gain initial access to the web server, exfiltrate sensitive files (like configuration files with database credentials), and establish persistence.

🟢

If Mitigated

Attackers can only read publicly accessible files but cannot execute code due to proper file permissions and security controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept exploit code is publicly available and requires minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.10 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2955933%40media-library-assistant&new=2955933%40media-library-assistant&sfp_email=&sfph_mail=#file4

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Media Library Assistant. 4. Click 'Update Now' if available. 5. If auto-update fails, manually download version 3.10+ from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the Media Library Assistant plugin until patched.

wp plugin deactivate media-library-assistant

Restrict access to vulnerable endpoint

linux

Block access to the mla-stream-image.php file via web server configuration.

# Apache: <LocationMatch "\/includes\/mla-stream-image\.php">
    Order deny,allow
    Deny from all
</LocationMatch>
# Nginx: location ~ /includes/mla-stream-image\.php { deny all; }

🧯 If You Can't Patch

Immediately disable or remove the Media Library Assistant plugin from all affected WordPress installations.
Implement strict web application firewall (WAF) rules to block requests containing 'mla_stream_file' parameter patterns.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Media Library Assistant → Version. If version is 3.09 or lower, the site is vulnerable.

Check Version:

wp plugin get media-library-assistant --field=version

Verify Fix Applied:

Confirm plugin version is 3.10 or higher in WordPress admin panel and test that the mla-stream-image.php endpoint no longer accepts arbitrary file paths.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /wp-content/plugins/media-library-assistant/includes/mla-stream-image.php with 'mla_stream_file' parameter containing unusual paths
PHP error logs showing Imagick-related errors or file inclusion attempts

Network Indicators:

Unusual outbound connections from web server following exploitation attempts
HTTP requests with file:// or ftp:// schemes in parameters

SIEM Query:

source="web_access_logs" AND uri_path="/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php" AND query_string="*mla_stream_file*"

📊 Metadata

CVE ID: CVE-2023-4634

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: September 6, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Patrowl/CVE-2023-4634/ Exploit,Third Party Advisory
https://packetstormsecurity.com/files/174508/wpmla309-lfiexec.tgz Third Party Advisory,VDB Entry
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/ Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2955933%40media-library-assistant&new=2955933%40media-library-assistant&sfp_email=&sfph_mail=#file4 Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf?source=cve Third Party Advisory
https://github.com/Patrowl/CVE-2023-4634/ Exploit,Third Party Advisory
https://packetstormsecurity.com/files/174508/wpmla309-lfiexec.tgz Third Party Advisory,VDB Entry
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/ Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2955933%40media-library-assistant&new=2955933%40media-library-assistant&sfp_email=&sfph_mail=#file4 Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/05c68377-feb6-442d-a3a0-1fbc246c7cbf?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON