CVE-2026-6075
Deferred Deferred - Pending Action
Cross-Site Request Forgery in Media Library Assistant WordPress Plugin

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: Wordfence

Description
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-29
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-6075
EUVD
EUVD-2026-33258
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
media_library_assistant media_library_assistant to 3.35 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The Media Library Assistant plugin for WordPress is vulnerable to a Cross-Site Request Forgery (CSRF) attack in versions up to and including 3.35. This vulnerability exists because the plugin's bulk action handlers in the settings tab do not verify nonces, which are security tokens used to confirm the legitimacy of requests.

As a result, an unauthenticated attacker can trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata by sending a forged request.


How can this vulnerability impact me? :

This vulnerability can have serious impacts because it allows an attacker to cause an administrator to unknowingly perform bulk operations such as deleting, editing, or purging plugin settings and attachment metadata.

The CVSS score of 8.1 indicates a high severity, with impacts including high integrity and availability damage, meaning critical data could be altered or lost, potentially disrupting website functionality.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability exists due to missing nonce verification on bulk action handlers in the Media Library Assistant plugin for WordPress, allowing unauthenticated attackers to perform bulk operations via forged requests.

Immediate mitigation steps include updating the Media Library Assistant plugin to a version later than 3.35 where this issue is fixed.

Additionally, restrict administrative access to trusted users only and consider disabling bulk action features in the plugin settings until an update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart