Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable reflected XSS, no auth, but requires victim click (UI:R); scope changes from anonymous attacker into authenticated browser context with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.
AnalysisAI
Reflected cross-site scripting in the Media Library Assistant WordPress plugin (versions up to and including 3.35) allows unauthenticated remote attackers to inject script that executes in a victim's browser after a user-interaction event (clicking a crafted link). Per Patchstack, the issue affects David Lingren's plugin and currently has no public exploit identified at time of analysis, but the CVSS 7.1 (scope-changed) reflects that successful execution can pivot into authenticated admin contexts.
Technical ContextAI
Media Library Assistant is a popular WordPress plugin by David Lingren (CPE cpe:2.3:a:david_lingren:media_library_assistant) that extends the WordPress media library with shortcodes, taxonomies, IPTC/EXIF mapping, and gallery features. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controllable input is reflected back into HTML/JavaScript context without adequate output encoding or contextual escaping. In WordPress plugin ecosystems, reflected XSS in admin- or front-end-exposed handlers commonly stems from unsanitized $_GET/$_POST parameters echoed via PHP without esc_html(), esc_attr(), or wp_kses(), allowing attackers to inject arbitrary script payloads that execute in the victim's authenticated session.
RemediationAI
Upstream fix availability is not independently confirmed from the provided data - Patchstack lists the affected ceiling as 3.35 but no fixed release version was supplied, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-35-reflected-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org page for any version published after 3.35 and upgrade immediately. Until a patched release is verified, compensating controls include deploying a WordPress-aware WAF (Patchstack, Wordfence) with virtual-patch rules for this CVE, restricting access to plugin endpoints via web-server ACLs or HTTP auth on /wp-admin (trade-off: blocks legitimate editors from remote locations), enforcing a strict Content-Security-Policy that disallows inline script (trade-off: may break other plugins/themes that rely on inline JS), and instructing administrators to avoid clicking unsolicited links to their own site while logged in. Deactivating the Media Library Assistant plugin is the most reliable mitigation if patching is not possible (trade-off: loss of extended media features).
More in Media Library Assistant
View allThe Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in vers
The Media Library Assistant plugin before 2.82 for Wordpress suffers from a Local File Inclusion vulnerability in mla_ga
In the media-library-assistant plugin before 2.82 for WordPress, Remote Code Execution can occur via the tax_query, meta
The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver
The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter wit
The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type valida
Blind SQL injection in Media Library Assistant through version 3.32 allows authenticated attackers to execute arbitrary
The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the lang parameter
The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all ver
The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode
The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mla_gallery' shor
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37055
GHSA-496r-7vwg-mwcf