Thanks for your report and for the link to the CVE record. I am now aware of this notification and have asked Patchstack for the original report so I can investigate further and resolve the problem. I will post an update here when I have progress to report.
Thanks for your patience. Further investigation revealed that this vulnerability was reported to me back in September. I developed a patch to correct it, and this was part of MLA v3.30 released on October 19. I made some sort of mistake in reporting the fix back to Patchstack, and I regret the confusion. I am working with them to clear that up now. Rest assured the fix is part of the current MLA version.
I will mark this topic resolved when I have straightened things out with Patchstack and WordFence.
Dear David, thanks for jumping at this problem. Maybe you could make a fresh release, which will resolve another issue namely that the plugin was reported not to be tested with the current version of WordPress.
Thanks for the good work!
Ger
Thanks for the positive feedback and for your suggestion. I have resubmitted my fix to Patchstack and WordFence and am awaiting confirmation that they have marked the issue resolved.
I will be out of town and without Internet access from 12/27 until 1/5/2026. I plan to release a new MLA version as soon as I am back. Thanks for your patience.
Hi,
Have you heard from this fix? Is a new version compatible with that of wordpress planned?
Thank you for your reply.
Thanks for your update. I re-submitted my fix to Patchstack on 12/11/25, and submitted it separately to WordFence on 12/25/25. As of today, both organizations report the patch is in the process of evaluation. I don’t know what else to do to move that along.
The current MLA release, v3.30, contains the patch and the vulnerability has been addressed. I am holding the new version back until one or both organizations verify the patch on the off chance that they find something else in the process. Both the current v3.30 and the next version are fully compatible with WordPress 6.9.
Thank you for your patience and understanding.
Thank you for your prompt response. I therefore reactivate your plugin so useful for the media.
I am happy to report that WordFence has validated the patch I added to MLA v3.30 and updated their report, which you can see here:
Media Library Assistant <= 3.29 – Missing Authorization
I assume that Patchstack will validate the patch and update their database eventually.
I have released MLA v3.31, which contains the patch and several other updates. I am marking this topic resolved, but please update it if you have any questions about the patch. Thank you for your patience!
Well, confusingly, Patchstack are now showing that versions <=3.32 are vulnerable, although that isn’t reflected in the associated CVE.
@huskydog – Thanks for your update.
I have submitted my patch three times and sent emails and Slack messages asking them to either confirm the patch or give me a way to reproduce whatever issue is still active. Until they respond I cannot account for the delay in updating their database. As I posted earlier, Wordfence has validated the patch, as you can see here:
Media Library Assistant <= 3.29 – Missing Authorization
I will keep trying and post an update here when I have progress to report.
