CVE-2025-11738
Media Library Assistant <= 3.29 - Unauthenticated Limited File Read
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The Media Library Assistant plugin for WordPress is vulnerable to limited file reading in all versions up to, and including, 3.29 via the mla-stream-image.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary ai/eps/pdf/ps files on the server, which can contain sensitive information.
| CWE | CWE-73 |
| Vendor | dglingren |
| Product | media library assistant |
| Published | Oct 18, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for dglingren media library assistant
Be the first to know when new medium vulnerabilities affecting dglingren media library assistant are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
dglingren / Media Library Assistant
0 โค 3.29
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/43d1264a-2265-4423-a643-7ef6436d3764?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379044%40media-library-assistant&new=3379044%40media-library-assistant&sfp_email=&sfph_mail= plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379043%40media-library-assistant&new=3379043%40media-library-assistant&sfp_email=&sfph_mail=
Credits
Lucas Montes