CVE-2025-8357 MEDIUM

CVE-2025-8357: Media Library Assistant <= 3.27 - Authenticated (Author+) Limited File Deletion

Vendor Dglingren
Product Media Library Assistant
Weakness CWE-862 · Missing authorization
Published August 19, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file deletion in the /wp-content/uploads directory due to insufficient file path validation and user capability checking in the _process_mla_download_file function in all versions up to, and including, 3.27. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server from the /wp-content/uploads/ directory.

Explanation of Vulnerability in Simple Terms

02Summary

Media Library Assistant versions 3.27 and earlier lack proper authorization checks, allowing authenticated users with low privileges to disrupt the site's availability. An attacker with a basic user account can trigger a denial-of-service condition without requiring user interaction. The vulnerability affects the plugin's core functionality and impacts site stability.

What an attacker can do

03Attacker Capabilities

Disrupt site availability by triggering a denial-of-service condition with a low-privilege user account.

Potential impact on your site

04Site Impact

Site availability may be degraded or interrupted by authenticated users with basic permissions.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

August 19, 2025 CVE published
April 8, 2026 Record updated