Plugin inspection:

Media Library Assistant

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 1.61 of this plugin, but the most recent version is 3.20. These findings may no longer be correct.

Findings

This is a large and complex plugin, at over 13,000 source lines of code. It contains numerous issues of concern.

This plugin:

  • Is likely to contain SQL injections exploitable by privileged users
  • Is likely to allow the reading of arbitrary files
  • Contains debug code that can be enabled via a URL parameter
  • Uses blacklists rather than whitelists to filter inputs

In addition, the plugin’s readme alludes to the possibility that it may have performance problems:

= The Media/Assistant submenu seems sluggish; is there anything I can do to make it faster? =

Some of the MLA features such as where-used reporting and ALT Text sorting/searching require a lot of database processing. If this is an issue for you, go to the Settings page and adjust the “Where-used database access tuning” settings. For any where-used category you can enable or disable processing. For the “Gallery in” and “MLA Gallery in” you can also choose to update the results on every page load or to cache the results for fifteen minutes between updates. The cache is also flushed automatically when posts, pages or attachments are inserted or updated.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

This plugin is likely to contain SQL injections and information leakage vulnerabilities exploitable by privileged users.

Failure criteria

  • Lack of input sanitisation
  • Execution of unprepared SQL statements
  • Unsafe file or network IO

Read more about our failure criteria.