CVE-2023-4634

Description

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.

NVD
Severity: N/A
CVE ID: CVE-2023-4634
CVSS Score: N/A
CVSS Metrics: NVD assessment not yet provided.

Wordfence
Severity: CRITICAL
CVE ID: CVE-2023-4634
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2023-4634

Refrence: Project Discovery GitHub

Patrowl

CVE-2023-4634

Refrence: GitHub

Content on GitHub

vinnie1717 | watchers:0

CVE-2023-46344

Refrence: GitHub

Description​

Proof Of Concept​

Content on GitHub​

Description

Proof Of Concept

Content on GitHub