CVE-2025-7035: 
WordPress vulnerability analysis and mitigation

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mla_tag_cloud and mla_term_list shortcodes in versions up to and including 3.26. The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes, allowing authenticated attackers with contributor-level access or above to inject arbitrary web scripts that execute when users access affected pages (NVD).

The vulnerability affects the mla_tag_cloud and mla_term_list shortcode functionality in the Media Library Assistant WordPress plugin. The issue stems from improper sanitization and escaping of user-supplied attributes in these shortcodes. The vulnerability has a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N according to NVD's assessment (NVD).

When exploited, this vulnerability allows authenticated attackers to inject malicious scripts that execute in users' browsers when they visit pages containing the compromised shortcodes. This can lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (NVD).

Users should update to version 3.27 or later which contains security fixes addressing this vulnerability. The fix was implemented in changeset 3327861 of the plugin (WordPress Plugin).