CVE-2026-6075 | The Media Library Assistant plugin for WordPress is vulnerab… | CVSS 8.1 HIGH

Description

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.

Metadata

CVE ID: CVE-2026-6075
State: PUBLISHED
Assigner: Wordfence
Reserved: 2026-04-10 14:31 UTC
Published: 2026-05-29 07:46 UTC
Last updated: 2026-05-29 10:05 UTC
Primary CWE: CWE-352
CWE-352 Cross-Site Request Forgery (CSRF)
Vendor / Product: dglingren / Media Library Assistant
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
dglingren	Media Library Assistant	—	0 ≤ 3.35

Weakness (CWE)

CWE	Source	Description
CWE-352	cna	CWE-352 Cross-Site Request Forgery (CSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

References (11)