Platform
wordpress
Component
media-library-assistant
Fixed in
3.34.1
3.35
CVE-2026-34897 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the Media Library Assistant plugin. This flaw allows an attacker to inject malicious scripts that are then stored and executed when other users access affected pages, potentially leading to account takeover or other malicious actions. The vulnerability impacts Media Library Assistant versions from n/a up to and including 3.34. As of the publication date, no official patch has been released to address this issue.
CVE-2026-34897 in the Media Library Assistant plugin for WordPress represents a Stored Cross-Site Scripting (XSS) vulnerability. Authenticated attackers, with contributor-level access or higher, can inject malicious JavaScript code into WordPress pages. This code will execute every time a user accesses the compromised page, allowing the attacker to steal cookies, redirect users to malicious websites, or modify page content. The CVSS severity score is 6.4, indicating a moderate risk. Insufficient input sanitization and inadequate output escaping are the root causes of this vulnerability. The potential impact is significant, especially for sites with a large user base and dynamic content.
An attacker with contributor or higher access on a WordPress site using Media Library Assistant up to version 3.34 can exploit this vulnerability. The attacker can inject malicious JavaScript code through an input within the plugin, such as when adding metadata to an image or modifying plugin settings. Once injected, the code is stored in the database and executes every time a user accesses the affected page. Exploitation requires authentication, but does not require advanced technical skills.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The most effective solution is to update the Media Library Assistant plugin to version 3.35 or higher. This version includes the necessary fixes to mitigate the XSS vulnerability. If an immediate update is not possible, consider implementing additional security measures, such as restricting plugin functionality access to users with limited privileges and utilizing a WordPress security plugin capable of detecting and preventing XSS attacks. Regularly reviewing WordPress pages for suspicious content is also crucial. Periodic website backups are a recommended practice to enable restoration in case of a successful attack.
Update to version 3.35, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into legitimate websites. These scripts execute in the user's browser, potentially allowing the attacker to steal sensitive information or perform actions on behalf of the user.
If you are using Media Library Assistant in a version prior to 3.35, you are likely affected. Review your site's pages for unexpected content or unusual behavior.
Immediately change the passwords for all users with access to the site. Back up the site and restore from a clean backup. Consult a security professional to perform a comprehensive site audit.
Several vulnerability scanning tools can help detect XSS, both free and paid. Some WordPress security plugins also include XSS detection capabilities.
In WordPress, a user with the 'contributor' role has permission to add and edit posts, but cannot manage the site overall.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.