Security Risk: Server Blacklisting

  • alltdl

    (@alltdl)


    1 month, 3 weeks ago

    Following a WordPress core update to 6.9, WordFence flagged this plugin for a known security vulnerability. Within just a few hours, and before I could disable or update it, my VPS IP was blacklisted by Spamhaus (CSS) due to outbound spam activity. This led to my provider automatically suspending my account.

    This is an actively exploitable vulnerability with immediate, real-world consequences, rather than just a theoretical concern. Since the site showed no obvious signs of being compromised, the plugin is especially dangerous.

    I recommend avoiding this plugin unless you are prepared to monitor it constantly and can disable it the moment a security warning appears. Right now, the risk clearly outweighs the benefit.

Viewing 1 replies (of 1 total)
  • Plugin Author David Lingren

    (@dglingren)

    1 month, 3 weeks ago

    @alltdl – Thank you for your report. I regret the trouble the WordFence notice has caused on your site. The vulnerability given in the report was fixed in MLA v3.30 released on October 19. You can find more information in this support topic:

    Broken Access Control vulnerability (<= 3.3.0) | WordPress.org

    Patchstack , where the report originated, describes the threat as “Low priority No impactful threat”. The threat allows downloading a Media Library item by guessing its permalink. I have resubmitted the fix to Patchstack and it is “in review”. Again, I regret the trouble this mix-up has caused on your site.

Viewing 1 replies (of 1 total)

You must be logged in to reply to this review.