Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
Published: 2026-04-06
Score: 8.5 High
EPSS: 1.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is caused by improper neutralization of special elements in a SQL command, allowing attackers to inject arbitrary SQL statements into the database through the Media Library Assistant plugin. This can result in unauthorized data read, modification, or deletion, compromising the confidentiality and integrity of the site's data. The weakness is a classic SQL injection flaw, identified as CWE-89.

Affected Systems

David Lingren Media Library Assistant for WordPress is affected, on every release up to and including version 3.34. A WordPress site that has not upgraded past this version is vulnerable.

Risk and Exploitability

The CVSS score of 8.5 classifies this as a high severity vulnerability. While the EPSS score of 2% indicates a low exploitation probability and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation remains limited. It is inferred that an attacker who can craft a request to the vulnerable endpoint can inject SQL and potentially gain full read/write access to the database table used by Media Library Assistant, as this conclusion is drawn from accessibility via the web interface. The description does not state that additional permissions are required, so it is inferred that the attack does not need extra privileges beyond web application access, making it feasible for remote adversaries with knowledge of the site structure.

Generated by OpenCVE AI on June 18, 2026 at 09:29 UTC.

Remediation

Vendor Solution

Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.35).

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading the Media Library Assistant plugin to version 3.35 or later.
  • If an immediate upgrade is not feasible, disable or uninstall the Media Library Assistant plugin to remove the attack surface.
  • Configure the WordPress database user with the least privilege required for normal operation, limiting the tables that can be accessed by the plugin.

Generated by OpenCVE AI on June 18, 2026 at 09:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress
Vendors & Products Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
Title WordPress Media LIbrary Assistant plugin <= 3.34 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Davidlingren Media Library Assistant
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-06T15:24:38.062Z

Reserved: 2026-03-31T09:57:17.718Z

Link: CVE-2026-34885

cve-icon Vulnrichment

Updated: 2026-04-06T15:24:30.730Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T15:17:11.130

Modified: 2026-06-17T10:39:47.290

Link: CVE-2026-34885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T09:30:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')