Skip to main content

David Lingren Media LIbrary Assistant CVE-2026-34897

| EUVDEUVD-2026-19311 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-06 audit@patchstack.com GHSA-w3vf-mmxj-jw7x
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 15:22 euvd
EUVD-2026-19311
Analysis Generated
Apr 06, 2026 - 15:22 vuln.today
CVE Published
Apr 06, 2026 - 15:17 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34.

AnalysisAI

Stored cross-site scripting (XSS) in David Lingren Media Library Assistant WordPress plugin through version 3.34 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability requires user interaction (UI:R per CVSS vector) and impacts confidentiality, integrity, and availability with a CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability exists in the Media Library Assistant plugin's input sanitization during web page generation, classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin fails to adequately neutralize user-supplied input before rendering it in HTML context, allowing authenticated attackers with low privileges (PR:L) to inject arbitrary JavaScript code. This code persists in the application's data store (stored XSS variant) and executes when other users access the affected content, crossing security boundaries (S:C per CVSS vector). The vulnerability affects all versions through 3.34 of the Media Library Assistant plugin, a WordPress plugin component managed through the official WordPress plugin directory.

RemediationAI

Upgrade Media Library Assistant to the patched version released after 3.34. Administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Media Library Assistant, and apply the available update. Until patching is completed, restrict plugin access to trusted administrators only by adjusting user role capabilities in WordPress, and audit recent plugin activity logs for unauthorized content modifications. Full advisory details and version guidance are available at https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerability?_s_id=cve.

Share

CVE-2026-34897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy