CVE-2020-11928:
WordPress vulnerability analysis and mitigation

Overview

CVE-2020-11928 is a Remote Code Execution vulnerability discovered in the media-library-assistant WordPress plugin versions before 2.82. The vulnerability was disclosed on April 19, 2020, affecting the plugin's mla_gallery functionality (NVD CVE, MITRE CVE).

Technical details

The vulnerability exists in the mlagallery functionality where Remote Code Execution can occur via the taxquery, metaquery, or datequery parameters when accessed by an administrator. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD CVE).

Impact

The vulnerability allows an attacker to execute arbitrary code on the affected system with administrator privileges, potentially leading to complete system compromise. This could result in unauthorized access to sensitive data, modification of website content, and potential server takeover (NVD CVE).

Mitigation and workarounds

Users should immediately upgrade to media-library-assistant version 2.82 or later to address this vulnerability. The fix has been implemented in the updated version available through the WordPress plugin repository (WordPress Plugin).