Media Library Assistant, CVE-2025-8357

CVE, Research URL: CVE-2025-8357
Home page URL: Security reports for Media Library Assistant
Application: Media Library Assistant
Published on: Aug 19, 2025
Research Description: The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file deletion in the /wp-content/uploads directory due to insufficient file path validation and user capability checking in the _process_mla_download_file function in all versions up to, and including, 3.27. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server from the /wp-content/uploads/ directory.
Affected versions: Min -, max 3.28.
Status: vulnerable