CVE-2024-11974
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS) attacks against WordPress sites using the Media Library Assistant plugin. Attackers can inject malicious scripts via specific parameters that get executed when users click crafted links. All WordPress sites with Media Library Assistant plugin versions up to 3.23 are affected.
💻 Affected Systems
- WordPress Media Library Assistant plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to malicious sites, or install backdoors on the WordPress site.
Likely Case
Attackers would typically steal user session cookies or credentials, perform phishing attacks, or deface parts of the site visible to users.
If Mitigated
With proper Content Security Policy (CSP) headers and modern browser XSS protections, script execution would be blocked, limiting impact to parameter reflection without execution.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized in phishing campaigns and require minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.24 or later
Vendor Advisory: https://wordpress.org/plugins/media-library-assistant/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Media Library Assistant. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.24+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable example plugins
linuxRemove or disable the vulnerable example plugin files that contain the insecure parameters
rm /path/to/wp-content/plugins/media-library-assistant/examples/plugins/mla-unattached-fixit.php
rm /path/to/wp-content/plugins/media-library-assistant/examples/plugins/smart-media-categories/
rm /path/to/wp-content/plugins/media-library-assistant/examples/plugins/woofixit.php
Web Application Firewall (WAF) rules
allBlock requests containing malicious script patterns in the vulnerable parameters
🧯 If You Can't Patch
- Disable the Media Library Assistant plugin entirely
- Implement strict Content Security Policy headers to block inline script execution
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Media Library Assistant → Version. If version is 3.23 or lower, you are vulnerable.Check Version:
wp plugin list --name=media-library-assistant --field=versionVerify Fix Applied:
After updating, verify version shows 3.24 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'smc_settings_tab', 'unattachfixit-action', or 'woofixit-action' parameters with script tags or JavaScript code
- Unusual referrer headers pointing to suspicious domains
Network Indicators:
- GET requests with encoded script payloads in query parameters
- Traffic patterns showing users being redirected after visiting specific plugin pages
SIEM Query:
source="web_access_logs" AND (uri_query="*smc_settings_tab*<script*" OR uri_query="*unattachfixit-action*<script*" OR uri_query="*woofixit-action*<script*")🔗 References
- https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/examples/plugins/mla-unattached-fixit.php#L177
- https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/examples/plugins/smart-media-categories/admin/includes/class-smc-settings-support.php#L459
- https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/examples/plugins/woofixit.php#L1391
- https://plugins.trac.wordpress.org/changeset/3215759/
- https://wordpress.org/plugins/media-library-assistant/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/65f4e5e1-4c2e-4943-aa84-4caa61e14bc2?source=cve
