CVE-2024-2328 in Real Media Library Plugin
Summary
by MITRE • 05/02/2024
The Real Media Library: Media Library Folder & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image title and alt text in all versions up to, and including, 4.22.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/06/2025
The Real Media Library plugin for WordPress represents a widely used media management solution that enhances WordPress functionality by providing folder organization and advanced file handling capabilities. This plugin has been identified with a critical stored cross-site scripting vulnerability that affects all versions up to and including 4.22.11, creating a significant security risk for WordPress installations that rely on this media management tool. The vulnerability specifically targets the plugin's handling of image metadata, particularly the title and alt text fields that are commonly used when managing media assets within the WordPress media library. Attackers exploiting this weakness can manipulate the plugin's data storage mechanisms to inject malicious scripts that persist within the application's database.
The technical flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's processing pipeline. When authenticated users with author privileges or higher upload or modify media files, the plugin fails to properly validate or sanitize the title and alt text parameters before storing them in the database. This allows malicious scripts to be stored alongside legitimate media metadata, creating a persistent threat vector that remains active until the malicious content is manually removed or the plugin is updated. The vulnerability operates as a stored XSS attack because the malicious code is saved in the database and executed whenever any user accesses the affected media items, making the attack vector particularly dangerous as it can affect any user who views the compromised media files.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a potential foothold for more sophisticated attacks within the WordPress environment. Authenticated attackers with author-level permissions can leverage this vulnerability to inject malicious JavaScript that could steal session cookies, redirect users to phishing sites, or even execute additional exploits against the WordPress installation. The attack requires minimal privileges, making it particularly concerning as it can be exploited by users who should normally have restricted access to the media library. This vulnerability undermines the security model of WordPress installations by allowing users with relatively low privileges to potentially compromise the entire site's integrity and user data.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to the latest available version that addresses the XSS flaw. System administrators should also implement additional security measures such as input validation at multiple layers and regular security audits of media library content. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and it maps to ATT&CK technique T1566.001 for the initial compromise through malicious file uploads. Organizations should conduct thorough security assessments of their WordPress installations to identify other potentially vulnerable plugins and ensure that all media management components properly sanitize user inputs. Regular monitoring of WordPress security advisories and maintaining updated security configurations remains essential for preventing exploitation of similar vulnerabilities in the future.