Platform
wordpress
Component
media-library-assistant
Fixed in
3.34.1
3.35
CVE-2026-34885 describes a SQL Injection vulnerability found in Media Library Assistant. This flaw allows attackers to inject malicious SQL code into database queries, potentially gaining unauthorized access to sensitive data or manipulating the application's functionality. The vulnerability affects Media Library Assistant versions from n/a up to and including 3.34. No official patch is currently available.
CVE-2026-34885 in the Media Library Assistant plugin for WordPress presents a significant security risk. This vulnerability is a SQL Injection, allowing authenticated attackers (with contributor-level access or higher) to append additional SQL queries to existing queries, potentially extracting sensitive information from the database. The lack of proper escaping of user-supplied parameters and insufficient query preparation enables this malicious code injection. The potential impact includes exposure of user data, website configuration information, and, in severe cases, complete website control. The CVSS score of 6.5 indicates a medium risk, but the possibility of unauthorized database access warrants immediate attention.
An attacker with contributor-level access or higher on a WordPress site using a vulnerable version of Media Library Assistant can exploit this vulnerability. The attacker could inject malicious SQL code through unvalidated input parameters. This injected code would execute alongside the original SQL query, allowing the attacker to access or modify data in the database. Exploitation requires authentication, limiting the attack scope to users with privileges within the site. However, even a contributor can cause significant damage if they have access to sensitive information or can modify site configuration.
Exploit Status
EPSS
5.71% (90% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation is to update the Media Library Assistant plugin to version 3.35 or higher. This version includes the necessary fixes to prevent SQL injection. If immediate updating is not possible, consider implementing additional security measures, such as restricting database access, using strong passwords, and keeping WordPress and other plugins updated. Regular security audits can also help identify and address potential vulnerabilities. Monitoring server logs for suspicious activity is crucial. Prompt updating is the best defense against this vulnerability.
Update to version 3.35, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
SQL Injection is a type of attack where an attacker inserts malicious SQL code into an SQL query to access or manipulate data in the database.
In WordPress, 'contributor' level access allows users to create and edit posts, but not publish them. However, with this vulnerability, even a contributor can access sensitive information.
Check the version of the Media Library Assistant plugin. If it's older than 3.35, your website is vulnerable. You can also use third-party vulnerability scanning tools.
Immediately change the passwords for all users with privileged access. Perform a comprehensive security audit and restore your website from a clean backup.
Several WordPress security plugins can help prevent SQL injection, as well as web application firewalls (WAFs).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.