Skip to main content

Media Library Assistant CVE-2026-54198

| EUVDEUVD-2026-37055 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-16 Patchstack GHSA-496r-7vwg-mwcf
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable reflected XSS, no auth, but requires victim click (UI:R); scope changes from anonymous attacker into authenticated browser context with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:21 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.

AnalysisAI

Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.

Technical ContextAI

Media Library Assistant is a popular WordPress plugin by David Lingren (CPE cpe:2.3:a:david_lingren:media_library_assistant) that extends the WordPress media library with shortcodes, taxonomies, IPTC/EXIF mapping, and gallery features. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into HTML/JavaScript context without adequate output encoding or contextual escaping. In WordPress plugin ecosystems, reflected XSS in admin- or front-end-exposed handlers commonly stems from unsanitized $_GET/$_POST parameters echoed via PHP without esc_html(), esc_attr(), or wp_kses(), allowing attackers to inject arbitrary script payloads that execute in the victim's authenticated session.

RemediationAI

Upstream fix availability is not independently confirmed from the provided data - Patchstack lists the affected ceiling as 3.35 but no fixed release version was supplied, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-35-reflected-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org page for any version published after 3.35 and upgrade immediately. Until a patched release is verified, compensating controls include deploying a WordPress-aware WAF (Patchstack, Wordfence) with virtual-patch rules for this CVE, restricting access to plugin endpoints via web-server ACLs or HTTP auth on /wp-admin (trade-off: blocks legitimate editors from remote locations), enforcing a strict Content-Security-Policy that disallows inline script (trade-off: may break other plugins/themes that rely on inline JS), and instructing administrators to avoid clicking unsolicited links to their own site while logged in. Deactivating the Media Library Assistant plugin is the most reliable mitigation if patching is not possible (trade-off: loss of extended media features).

CVE-2023-4634 CRITICAL POC
9.8 Sep 06

The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in vers

CVE-2020-11732 HIGH POC
7.5 Apr 13

The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_ga

CVE-2020-11928 CRITICAL
9.8 Apr 20

In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta

CVE-2024-3518 HIGH
8.8 May 22

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver

CVE-2024-5605 HIGH
8.8 Jun 20

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter wit

CVE-2024-6823 HIGH
8.8 Aug 13

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type valida

CVE-2026-32399 HIGH
8.5 Mar 13

Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary

CVE-2023-0279 HIGH
7.2 Feb 27

The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using

CVE-2024-3519 MEDIUM
6.1 May 22

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter

CVE-2024-2871 MEDIUM
6.4 Apr 09

The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver

CVE-2024-2475 MEDIUM
6.4 Mar 29

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode

CVE-2023-4716 MEDIUM
6.4 Sep 22

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shor

Share

CVE-2026-54198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy