Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection.This issue affects Media LIbrary Assistant: from n/a through <= 3.32.
AnalysisAI
Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary SQL queries over the network, potentially leading to unauthorized data access and service disruption. The vulnerability requires valid user credentials but no user interaction, making it exploitable by internal or compromised accounts with minimal effort. No patch is currently available for affected installations.
Technical ContextAI
The Media Library Assistant is a WordPress plugin that enhances media management capabilities within the WordPress content management system. The vulnerability stems from improper neutralization of special elements used in SQL commands (CWE-89), a classic SQL injection flaw where user input is not properly sanitized before being incorporated into database queries. This allows attackers to inject malicious SQL code that can be executed by the database engine, specifically through blind SQL injection techniques where data is extracted based on true/false responses rather than direct output.
RemediationAI
Upgrade the Media Library Assistant plugin to a version newer than 3.32 if available from the plugin developer. In the absence of specific patch information or vendor advisory links in the provided data, administrators should check the WordPress plugin repository or contact the plugin developer directly for update availability. As an interim mitigation, consider restricting access to WordPress admin functionality to trusted IP addresses only, implementing Web Application Firewall (WAF) rules to detect SQL injection attempts, and monitoring database query logs for suspicious activity.
More in Media Library Assistant
View allThe Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in vers
The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_ga
In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta
The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver
The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter wit
The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type valida
The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using
Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allow
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter
The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver
The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode
The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shor
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11916