CVE-2026-32399
Received Received - Intake
Blind SQL Injection in Media Library Assistant ≀ 3.32 Allows Data Exposure

Publication date: 2026-03-13

Last updated on: 2026-03-13

Assigner: Patchstack

Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection.This issue affects Media LIbrary Assistant: from n/a through <= 3.32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-13
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32399
EUVD
EUVD-2026-11916
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
david_lingren_media media_library_assistant to 3.32 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32399 is a SQL Injection vulnerability found in the WordPress Media Library Assistant Plugin versions up to and including 3.32.

This vulnerability allows a malicious actor with Contributor-level privileges to interact directly with the database in an unauthorized way.

Specifically, it is a Blind SQL Injection issue, meaning the attacker can execute SQL commands without seeing the direct output, potentially leading to unauthorized data access or manipulation.


How can this vulnerability impact me? :

This vulnerability can lead to serious impacts including data theft or manipulation by an attacker.

Since it allows database interaction with only Contributor-level privileges, an attacker does not need high-level access to exploit it.

The CVSS severity score of 8.5 indicates a high severity risk, meaning the potential impact on confidentiality and availability is significant.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is a Blind SQL Injection in the WordPress Media Library Assistant Plugin up to version 3.32, exploitable by users with Contributor-level privileges. Detection typically involves monitoring for unusual database queries or attempts to inject SQL commands through plugin interfaces accessible to such users.

Specific commands or automated detection scripts are not provided in the available resources. However, general detection methods include reviewing web server logs for suspicious requests targeting the Media Library Assistant plugin endpoints and using web application security scanners that test for SQL Injection vulnerabilities.


What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation step is to update the WordPress Media Library Assistant Plugin to version 3.33 or later, where this SQL Injection vulnerability has been patched.

Additionally, limiting Contributor-level user privileges and monitoring for suspicious activity can help reduce the risk until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart