Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34.
AnalysisAI
Stored cross-site scripting (XSS) in David Lingren Media Library Assistant WordPress plugin through version 3.34 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability requires user interaction (UI:R per CVSS vector) and impacts confidentiality, integrity, and availability with a CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability exists in the Media Library Assistant plugin's input sanitization during web page generation, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to adequately neutralize user-supplied input before rendering it in HTML context, allowing authenticated attackers with low privileges (PR:L) to inject arbitrary JavaScript code. This code persists in the application's data store (stored XSS variant) and executes when other users access the affected content, crossing security boundaries (S:C per CVSS vector). The vulnerability affects all versions through 3.34 of the Media Library Assistant plugin, a WordPress plugin component managed through the official WordPress plugin directory.
RemediationAI
Upgrade Media Library Assistant to the patched version released after 3.34. Administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Media Library Assistant, and apply the available update. Until patching is completed, restrict plugin access to trusted administrators only by adjusting user role capabilities in WordPress, and audit recent plugin activity logs for unauthorized content modifications. Full advisory details and version guidance are available at https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerability?_s_id=cve.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19311
GHSA-w3vf-mmxj-jw7x