What the vulnerability does
01Description
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
Explanation of Vulnerability in Simple Terms
02Summary
Media Library Assistant versions 3.35 and earlier are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the site without the admin's knowledge or consent. The attacker cannot read sensitive data, but can modify or delete content and disrupt site availability.
What an attacker can do
03Attacker Capabilities
Trick a logged-in admin into performing unwanted actions (modify, delete content, change settings) via a malicious webpage.
Potential impact on your site
04Site Impact
Admins could unknowingly modify or delete site content, change settings, or disrupt availability if they visit a malicious link while logged in.
Conditions required to exploit
05Prerequisites
Admin must visit attacker's webpage while logged into the WordPress site. No special privileges or complex setup required.
Key dates
06Disclosure timeline
May 29, 2026
CVE published
May 29, 2026
Record updated