Media Library Assistant Plugin Vulnerability (CVE-2026-6075)

Security Alert Summary

The Media Library Assistant WordPress plugin contains a Cross-Site Request Forgery (CSRF) vulnerability that can allow an attacker to trick an administrator into performing bulk delete, edit, or purge actions on plugin settings and attachment metadata. The issue is caused by missing nonce verification on bulk action handlers in the plugin settings tabs.

CVE Details

• CVE ID: CVE-2026-6075
• Affected component: Media Library Assistant plugin for WordPress
• Affected versions: Versions up to, and including, 3.35
• Published: May 29, 2026 at 9:16:18 AM UTC
• Last modified: May 29, 2026 at 1:09:05 PM UTC
• CVSS v3.1: Base Score 8.1, Severity HIGH, Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
• Authentication / Privileges / User interaction: Authentication not required; Privileges required: None; User interaction: Required
• Primary impact: Confidentiality: None; Integrity: High; Availability: High
• CWE: CWE-352 (Cross-Site Request Forgery)

Technical Details

This vulnerability is a Cross-Site Request Forgery (CSRF) issue caused by missing nonce verification on the plugins bulk action handlers in its settings tabs. Without nonce checks, an attacker can construct a forged request that, if an administrator or another privileged user executes it (for example by visiting an attacker-controlled page or clicking a crafted link), will perform bulk operations such as delete, edit, or purge on plugin settings and attachment metadata.

The issue is tied to the settings tab handlers where bulk actions are processed. The project references include files such as class-mla-settings-custom-fields-tab.php, class-mla-settings-iptc-exif-tab.php, class-mla-settings-view-tab.php, and class-mla-settings.php, which are locations associated with the affected handlers.

Impact is limited to modification or removal of plugin settings and attachment metadata (integrity and availability effects). The CVSS assessment indicates no direct confidentiality loss from this flaw; however, altering or removing media metadata and settings can disrupt site content and workflows.

How This Could Impact Your Website

In a typical small or medium site, multiple people may have different roles: a site owner, internal editors or staff who manage media, and external contractors or contributors who assist with content. If an administrator or other privileged user is tricked into executing a forged request, an attacker could cause bulk changes or deletions to media metadata or plugin settings. Practical consequences include broken galleries, missing captions or taxonomies, and loss of attachment metadata that other workflows depend on.

While this vulnerability does not directly expose confidential data according to the CVSS assessment, the resulting disruption can create operational problems and may indirectly increase the risk of targeted social engineering or phishing attempts if communications or content are altered.

professional review: If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles and capabilities, especially for contributors and accounts that can manage media or plugin settings.
• Enforce strong passwords and enable two-factor authentication for editor and administrator accounts.
• Remove unused or unmaintained plugins to reduce attack surface.
• Monitor site activity and logs for unusual behavior, including unexpected bulk edits or deletions of media and settings.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-custom-fields-tab.php#L664
• https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-iptc-exif-tab.php#L804
• https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-view-tab.php#L224
• https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings.php#L1331
• https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-custom-fields-tab.php#L664
• https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-iptc-exif-tab.php#L804
• https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-view-tab.php#L224
• https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings.php#L1331
• https://plugins.trac.wordpress.org/changeset/3494141/media-library-assistant/trunk/includes/class-mla-settings-custom-fields-tab.php
• https://plugins.trac.wordpress.org/changeset?old_path=%2Fmedia-library-assistant/tags/3.34&new_path=%2Fmedia-library-assistant/tags/3.35
• https://www.wordfence.com/threat-intel/vulnerabilities/id/0e399651-8992-4949-b7a7-4e8ce199b47a?source=cve