CVE-2026-6075

HIGH

Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form

Title source: cna
STIX 2.1

Description

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.

References (11)

Core 11
Core References

Scores

CVSS v3 8.1
EPSS 0.0004
EPSS Percentile 13.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
dglingren/Media Library Assistant < 3.35
Published May 29, 2026
Tracked Since May 29, 2026