Description
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
Published: 2026-05-29
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Media Library Assistant plugin for WordPress is vulnerable to Cross‑Site Request Forgery in all versions up to and including 3.35 because bulk action handlers in the settings tab do not perform nonce verification. An attacker who can trick an administrative user into visiting a crafted URL can cause the server to execute a bulk delete, edit or purge operation on plugin settings and attachment metadata, potentially destroying configuration and media data. The flaw is a straightforward CSRF weakness (CWE‑352) and does not require any additional permissions beyond those of the logged‑in administrator.

Affected Systems

All installations of the dglingren Media Library Assistant WordPress plugin with a version of 3.35 or earlier are affected. The vulnerability applies to the bulk action handlers in the settings tab of the plugin.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.1, indicating high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires only that an attacker be able to coerce a logged‑in administrator into visiting a malicious URL; no privileged access or vulnerability exploitation on the server is needed. The straightforward CSRF attack path and high impact of unauthorized bulk changes make this a significant risk to affected sites.

Generated by OpenCVE AI on May 29, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Media Library Assistant plugin to version 3.36 or later, which restores proper nonce verification for bulk actions.
  • If an upgrade is not immediately possible, consider disabling bulk action functionality in the plugin settings or temporarily deactivating the plugin until a patch is applied.
  • Deploy site‑wide CSRF protection measures, such as a Web Application Firewall rule that blocks unexpected POST or GET requests to bulk action endpoints, to mitigate potential exploitation while remediation is pending.

Generated by OpenCVE AI on May 29, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress
Vendors & Products Davidlingren
Davidlingren media Library Assistant
Wordpress
Wordpress wordpress

Fri, 29 May 2026 10:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
Title Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

Davidlingren Media Library Assistant
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-29T10:05:22.136Z

Reserved: 2026-04-10T14:31:12.134Z

Link: CVE-2026-6075

cve-icon Vulnrichment

Updated: 2026-05-29T10:05:16.950Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T09:16:18.400

Modified: 2026-05-29T13:09:05.450

Link: CVE-2026-6075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T14:30:36Z

Weaknesses