Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection.

This issue affects Media LIbrary Assistant: from n/a through 3.35.
Published: 2026-06-18
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability describes an improper neutralization of special elements used in an SQL command within the Media Library Assistant plugin, enabling blind SQL injection. An attacker can inject malicious SQL fragments that the plugin substitutes into database queries, potentially allowing the extraction or modification of data stored in the WordPress database. Depending on the database schema the attacker may read sensitive information, alter records, or create new administrative accounts.

Affected Systems

The flaw affects all installations of the Media Library Assistant plug‑in from the earliest version up through 3.35 inclusive. Any WordPress site that has migrated or retained these affected plugin versions is vulnerable.

Risk and Exploitability

The CVSS assessment of 8.5 classifies this as a high‑severity exploitation risk. Though an EPSS score is not provided, the lack of disclosure in the KEV catalog suggests limited known public exploits, yet the potential impact remains substantial. Access requires interaction with the plugin’s administrative interface, which typically mandates authenticated WordPress credentials, but once authenticated an attacker can craft the injection payload without additional privileges.

Generated by OpenCVE AI on June 18, 2026 at 19:42 UTC.

Remediation

Vendor Solution

Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.36).


OpenCVE Recommended Actions

  • Update the Media Library Assistant plug‑in to version 3.36 or later
  • If an upgrade cannot be performed immediately, deactivate or remove the plug‑in from the site to eliminate the attack surface
  • After remediation, back up the WordPress database and review logs for any suspicious queries or unauthorized data changes

Generated by OpenCVE AI on June 18, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress
Vendors & Products Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35.
Title WordPress Media LIbrary Assistant plugin <= 3.35 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Davidlingren Media Library Assistant
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-18T16:10:48.523Z

Reserved: 2026-06-18T09:31:56.471Z

Link: CVE-2026-56012

cve-icon Vulnrichment

Updated: 2026-06-18T15:21:56.829Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')