CVE-2026-6075 HIGH

CVE-2026-6075: Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form

Vendor Dglingren
Product Media Library Assistant
Weakness CWE-352 · CSRF
Published May 29, 2026
Last update May 29, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.

Explanation of Vulnerability in Simple Terms

02Summary

Media Library Assistant versions 3.35 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without the admin's knowledge or consent. The attacker cannot read sensitive data, but can modify or delete content and disrupt site availability.

What an attacker can do

03Attacker Capabilities

Trick a logged-in admin into performing unwanted actions (modify, delete content, change settings) via a malicious webpage.

Potential impact on your site

04Site Impact

Admins could unknowingly modify or delete site content, change settings, or disrupt availability if they visit a malicious link while logged in.

Conditions required to exploit

05Prerequisites

Admin must visit attacker's webpage while logged into the WordPress site. No special privileges or complex setup required.

Key dates

06Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated