CVE-2026-6075
Deferred Deferred - Pending Action
Cross-Site Request Forgery in Media Library Assistant WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6075
EUVD
EUVD-2026-33258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
media_library_assistant media_library_assistant to 3.35 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Media Library Assistant plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack in versions up to and including 3.35. This vulnerability exists because the plugin's bulk action handlers in the settings tab do not verify nonces, which are security tokens used to confirm the legitimacy of requests.

As a result, an unauthenticated attacker can trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata by sending a forged request.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to cause an administrator to unknowingly perform bulk operations such as deleting, editing, or purging plugin settings and attachment metadata.

The CVSS score of 8.1 indicates a high severity, with impacts including high integrity and availability damage, meaning critical data could be altered or lost, potentially disrupting website functionality.

Mitigation Strategies

The vulnerability exists due to missing nonce verification on bulk action handlers in the Media Library Assistant plugin for WordPress, allowing unauthenticated attackers to perform bulk operations via forged requests.

Immediate mitigation steps include updating the Media Library Assistant plugin to a version later than 3.35 where this issue is fixed.

Additionally, restrict administrative access to trusted users only and consider disabling bulk action features in the plugin settings until an update is applied.

Detection Guidance

This vulnerability involves missing nonce verification on bulk action handlers in the Media Library Assistant WordPress plugin, which can be exploited via forged requests targeting the settings tab handlers.

To detect potential exploitation attempts on your system or network, you can monitor HTTP requests to the WordPress admin area that perform bulk delete, edit, or purge operations on plugin settings or attachment metadata without valid nonce tokens.

Suggested commands include inspecting web server logs for suspicious POST requests to the plugin's bulk action endpoints, for example using grep:

  • grep -i 'media-library-assistant' /var/log/apache2/access.log | grep POST
  • grep -i 'bulk-delete' /var/log/apache2/access.log

Additionally, you can use tools like curl to test if nonce verification is missing by sending crafted POST requests to the plugin's bulk action URLs and observing if the actions are executed without proper authentication.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart