Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
Published: 2026-04-06
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is caused by improper neutralization of special elements in a SQL command, allowing attackers to inject arbitrary SQL statements into the database through the Media Library Assistant plugin. This can result in unauthorized data read, modification, or deletion, compromising the confidentiality and integrity of the site's data. The weakness is a classic SQL injection flaw, identified as CWE‑89.

Affected Systems

David Lingren Media Library Assistant for WordPress is affected, on every release up to and including version 3.34. A WordPress site that has not upgraded past this version is vulnerable.

Risk and Exploitability

The CVSS score of 8.5 classifies this as a high severity vulnerability. While the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation remains high because the affected code is reachable via the web interface of a WordPress plugin. An attacker who can craft a request to the vulnerable endpoint can inject SQL and potentially gain full read/write access to the database table used by Media Library Assistant. The attack does not require additional permissions beyond access to the web application, so it is feasible for remote adversaries with knowledge of the site structure.

Generated by OpenCVE AI on April 6, 2026 at 17:41 UTC.

Remediation

Vendor Solution

Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.35).

OpenCVE Recommended Actions

  • Update the Media Library Assistant plugin to version 3.35 or later.

Generated by OpenCVE AI on April 6, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress
Vendors & Products Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
Title WordPress Media LIbrary Assistant plugin <= 3.34 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Davidlingren Media Library Assistant
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-06T15:24:38.062Z

Reserved: 2026-03-31T09:57:17.718Z

Link: CVE-2026-34885

cve-icon Vulnrichment

Updated: 2026-04-06T15:24:30.730Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T15:17:11.130

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-34885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:37Z

Weaknesses