CVE-2026-34897
Received Received - Intake
Stored XSS in Media Library Assistant Allows Persistent Script Injection

Publication date: 2026-04-06

Last updated on: 2026-04-06

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-06
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34897
EUVD
EUVD-2026-19311
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
david_lingren media_library_assistant to 3.34 (inc)
david_lingren media_library_assistant From 3.0.0 (inc) to 3.34 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34897 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Media Library Assistant Plugin versions up to and including 3.34.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites, which execute when visitors access the compromised site.

Exploitation requires a user with Contributor-level privileges or higher to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.

Impact Analysis

The vulnerability can lead to attackers injecting malicious scripts into your website, which may execute unwanted actions such as redirects or displaying unauthorized advertisements.

This can compromise the integrity and trustworthiness of your site, potentially harming user experience and exposing visitors to malicious content.

Although the severity is considered low and exploitation requires user interaction, such vulnerabilities are often used in mass-exploit campaigns affecting many sites.

Updating the plugin to version 3.35 or later is strongly advised to mitigate this risk.

Detection Guidance

This vulnerability is a Stored Cross Site Scripting (XSS) issue in the WordPress Media Library Assistant Plugin up to version 3.34. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts have been injected into the website content.

To detect the vulnerability on your system, you can check the installed plugin version and scan for suspicious scripts or payloads in the content managed by the plugin.

  • Check the plugin version via WP-CLI: wp plugin list | grep media-library-assistant
  • Search for suspicious script tags or payloads in the database, for example using SQL commands to look for <script> tags in posts or plugin-related tables.
  • Use web vulnerability scanners that support XSS detection on your site pages where the plugin outputs content.
Mitigation Strategies

The primary immediate mitigation step is to update the WordPress Media Library Assistant Plugin to version 3.35 or later, where this vulnerability has been patched.

If immediate updating is not possible, restrict user roles to prevent users with Contributor-level privileges or higher from performing actions that could trigger the vulnerability.

Consider enabling auto-update options if available to facilitate rapid patching.

Additionally, monitor your site for suspicious activity and injected scripts, and remove any malicious content found.

Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in the Media Library Assistant plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart