This is a large and complex plugin, at over 13,000 source lines of code. It contains numerous issues of concern.

This plugin:

• Is likely to contain SQL injections exploitable by privileged users
• Is likely to allow the reading of arbitrary files
• Contains debug code that can be enabled via a URL parameter
• Uses blacklists rather than whitelists to filter inputs

In addition, the plugin’s readme alludes to the possibility that it may have performance problems:

= The Media/Assistant submenu seems sluggish; is there anything I can do to make it faster? =

Some of the MLA features such as where-used reporting and ALT Text sorting/searching require a lot of database processing. If this is an issue for you, go to the Settings page and adjust the “Where-used database access tuning” settings. For any where-used category you can enable or disable processing. For the “Gallery in” and “MLA Gallery in” you can also choose to update the results on every page load or to cache the results for fifteen minutes between updates. The cache is also flushed automatically when posts, pages or attachments are inserted or updated.

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

This plugin is likely to contain SQL injections and information leakage vulnerabilities exploitable by privileged users.