Real Media Library: Media Library Folder & File Manager – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2027 |WordPress Plugin Vulnerability Report
Plugin Name: Real Media Library: Media Library Folder & File Manager
Key Information:
- Software Type: Plugin
- Software Slug: real-media-library-lite
- Software Status: Active
- Software Author: devowl
- Software Downloads: 2,429,162
- Active Installs: 80,000
- Last Updated: March 25, 2024
- Patched Versions: 4.22.8
- Affected Versions: <= 4.22.7
Vulnerability Details:
- Name: Real Media Library: Media Library Folder & File Manager <= 4.22.7
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- CVE: CVE-2024-2027
- CVSS Score: 6.4
- Publicly Published: March 25, 2024
- Researcher: Ngô Thiên An and Dau Hoang Tai - VNPT-VCI
- Description: The Real Media Library plugin is compromised by a Stored Cross-Site Scripting vulnerability in all versions up to and including 4.22.7, stemming from insufficient input sanitization and output escaping, particularly within the plugin's style attributes. This security flaw enables authenticated users with at least contributor-level access to embed arbitrary web scripts into pages, which are then executed when those pages are accessed by others.
Summary:
The Real Media Library plugin, a widely used media management tool for WordPress, harbors a critical vulnerability in versions up to and including 4.22.7, which allows stored cross-site scripting via its style attributes. Fortunately, this issue has been addressed in the newly released version 4.22.8.
Detailed Overview:
Discovered by the vigilant researchers Ngô Thiên An and Dau Hoang Tai from VNPT-VCI, this vulnerability exposes websites to significant risks, including unauthorized data access and potential website compromise. The exploit occurs within the plugin's style attributes, where insufficient input sanitization and output escaping allow attackers to inject malicious scripts. These scripts can perform a range of harmful actions, from stealing user data to taking control of the affected website, all unbeknownst to the site's visitors or administrators.
Advice for Users:
To mitigate the risk posed by this vulnerability, users of the Real Media Library plugin should immediately update to version 4.22.8. Website administrators should also review their sites for any unusual content or behavior, particularly if they have been running a vulnerable version of the plugin. While the patched version is secure, exploring alternative plugins with similar functionalities could provide an additional layer of security. Above all, maintaining the currency of all installed plugins is crucial for website security.
Conclusion:
The prompt resolution of this vulnerability by the Real Media Library plugin developers highlights the critical importance of regular software updates in the defense against cyber threats. By ensuring that the plugin is updated to version 4.22.8 or later, WordPress site owners can protect their sites from potential exploits related to this vulnerability.
References:
Real Media Library: Media Library Folder & File Manager – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-2027 |WordPress Plugin Vulnerability Report FAQs
What is CVE-2024-2027?
What is CVE-2024-2027?
CVE-2024-2027 is a vulnerability identifier for a specific security flaw found in the Real Media Library: Media Library Folder & File Manager plugin for WordPress. This flaw is categorized as a Stored Cross-Site Scripting (XSS) vulnerability, which was discovered in versions up to and including 4.22.7 of the plugin.
This vulnerability allows users with contributor-level access or higher to inject malicious scripts into web pages through the plugin's style attributes. When these pages are accessed by others, the malicious scripts execute, potentially compromising the website and its visitors' security.