Skip to main content

David Lingren Media LIbrary Assistant CVE-2026-34885

| EUVD-2026-19309 HIGH
SQL Injection (CWE-89)
2026-04-06 audit@patchstack.com GHSA-39w8-449c-wqw6
SQLi
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 15:22 euvd
EUVD-2026-19309
Analysis Generated
Apr 06, 2026 - 15:22 vuln.today
CVE Published
Apr 06, 2026 - 15:17 nvd
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.

AnalysisAI

SQL injection in WordPress Media Library Assistant plugin through version 3.34 allows authenticated attackers with low-level privileges to extract sensitive database contents and potentially disrupt availability. The vulnerability has a CVSS score of 8.5 (High) with scope change, indicating authenticated attackers can access data beyond their permission level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege user
Delivery
Submit malicious SQL payload in input field
Exploit
Bypass input validation filters
Execution
Execute arbitrary SQL queries
Impact
Extract sensitive data from database
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authenticated user access required to David Lingren Media Library Assistant versions up to 3.34. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.5 score reflects legitimate severity due to the Scope Change (S:C) metric, meaning attackers can impact resources beyond the vulnerable component's security scope, combined with High confidentiality impact and Low availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a low-privilege WordPress account (subscriber, contributor, or customer role) on a vulnerable site authenticates to the WordPress dashboard and navigates to functionality provided by the Media Library Assistant plugin. The attacker crafts malicious SQL injection payloads within user-controllable input fields or URL parameters processed by the plugin, exploiting the lack of input sanitization. …
Remediation Organizations should immediately upgrade the Media Library Assistant plugin to a version newer than 3.34 if a patched version has been released by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Media Library Assistant plugin and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34885 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy