CVE-2026-34897
Received Received - Intake

Stored XSS in Media Library Assistant Allows Persistent Script Injection

Vulnerability report for CVE-2026-34897, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-06

Last updated on: 2026-04-06

Assigner: Patchstack

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-06
Last Modified
2026-04-06
Generated
2026-07-06
AI Q&A
2026-04-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
david_lingren media_library_assistant to 3.34 (inc)
david_lingren media_library_assistant From 3.0.0 (inc) to 3.34 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Cross Site Scripting (XSS) vulnerability in the Media Library Assistant plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34897 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress Media Library Assistant Plugin versions up to and including 3.34.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”into websites, which execute when visitors access the compromised site.

Exploitation requires a user with Contributor-level privileges or higher to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form, meaning user interaction is necessary.

Impact Analysis

The vulnerability can lead to attackers injecting malicious scripts into your website, which may execute unwanted actions such as redirects or displaying unauthorized advertisements.

This can compromise the integrity and trustworthiness of your site, potentially harming user experience and exposing visitors to malicious content.

Although the severity is considered low and exploitation requires user interaction, such vulnerabilities are often used in mass-exploit campaigns affecting many sites.

Updating the plugin to version 3.35 or later is strongly advised to mitigate this risk.

Detection Guidance

This vulnerability is a Stored Cross Site Scripting (XSS) issue in the WordPress Media Library Assistant Plugin up to version 3.34. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts have been injected into the website content.

To detect the vulnerability on your system, you can check the installed plugin version and scan for suspicious scripts or payloads in the content managed by the plugin.

  • Check the plugin version via WP-CLI: wp plugin list | grep media-library-assistant
  • Search for suspicious script tags or payloads in the database, for example using SQL commands to look for <script> tags in posts or plugin-related tables.
  • Use web vulnerability scanners that support XSS detection on your site pages where the plugin outputs content.
Mitigation Strategies

The primary immediate mitigation step is to update the WordPress Media Library Assistant Plugin to version 3.35 or later, where this vulnerability has been patched.

If immediate updating is not possible, restrict user roles to prevent users with Contributor-level privileges or higher from performing actions that could trigger the vulnerability.

Consider enabling auto-update options if available to facilitate rapid patching.

Additionally, monitor your site for suspicious activity and injected scripts, and remove any malicious content found.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart