Thanks for your report. I am aware of this notification and have asked Patchstack for the original report so I can investigate further and resolve the problem. I will post an update here when I have progress to report.
Thanks for your patience. Further investigation revealed that this vulnerability was reported to me back in September. I developed a patch to correct it, and this was part of MLA v3.30 released on October 19. I made some sort of mistake in reporting the fix back to Patchstack, and I regret the confusion. I am working with them to clear that up now. Rest assured the fix is part of the current MLA version.
I will mark this topic resolved when I have straightened things out with Patchstack and WordFence.
Please see this related topic for more information:
Broken Access Control vulnerability (<= 3.3.0) | WordPress.org
Thank you.
I am happy to report that WordFence has validated the patch I added to MLA v3.30 and updated their report, which you can see here:
Media Library Assistant <= 3.29 – Missing Authorization
I assume that Patchstack will validate the patch and update their database eventually.
I have released MLA v3.31, which contains the patch and several other updates. I am marking this topic resolved, but please update it if you have any questions about the patch. Thank you for your patience!
