HIGH 8.1

CVE-2026-6075: Media Library Assistant WordPress CSRF Vulnerability – Bulk Action Exploitation

The Media Library Assistant plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability affecting versions up to 3.35. The flaw allows attackers to craft malicious web pages or emails that, when viewed by an administrator, can trigger unauthorized bulk operations on plugin settings and attachment metadata without the admin's knowledge or consent. An attacker doesn't need valid WordPress credentials to exploit this—only the ability to trick an admin into visiting a compromised site.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.

11 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability stems from insufficient CSRF protections in the plugin's bulk action handlers within the settings tab. Specifically, the plugin fails to validate nonce tokens when processing bulk delete, edit, and purge operations. The absence of nonce verification means that an attacker can construct a forged HTTP request (typically embedded in a malicious webpage or email) that the administrator's browser will automatically execute with their logged-in session privileges. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and carries a CVSS v3.1 score of 8.1 (HIGH severity), reflecting the combination of network-based attack vector, low complexity, no authentication requirement, and high impact on integrity and availability.

Business impact

Compromise of plugin settings via CSRF could lead to loss of attachment metadata, unintended deletion of media library configurations, or manipulation of plugin behavior—potentially disrupting site operations or exposing sensitive media management workflows. While confidentiality is not directly affected, the high integrity and availability impact means attackers could cause data loss or force administrators into remediation activities. Sites relying on Media Library Assistant for critical media workflows face operational risk if an administrator is socially engineered into clicking a malicious link.

Affected systems

WordPress installations running the Media Library Assistant plugin version 3.35 or earlier are affected. The vulnerability requires an administrator to be logged into WordPress and to visit or interact with attacker-controlled content, but the attack payload itself requires no special privileges from the attacker side. Any WordPress site using this plugin should be considered at risk if administrators are not aware of the threat.

Exploitability

Exploitability is practical but contingent on social engineering. An attacker must convincingly trick an administrator into visiting a malicious page or clicking a link while the admin is actively logged into WordPress. The technical barrier to crafting the CSRF payload is low—standard HTML forms or JavaScript can trigger bulk actions silently. However, the reliance on user interaction (UI:R in the CVSS vector) prevents fully automated exploitation. The lack of a public exploit in the KEV catalog suggests this remains a designer-level threat rather than mass-exploitation scenario at publication time.

Remediation

Update the Media Library Assistant plugin to a version later than 3.35 that includes nonce verification in bulk action handlers. Verify the patched version against the plugin's official repository or vendor advisory before deployment. Additionally, enforce security best practices: limit administrator access to trusted networks where feasible, educate administrators about not clicking suspicious links while logged into WordPress, and consider using security plugins that detect and block CSRF attempts.

Patch guidance

Check the Media Library Assistant plugin repository for the latest available version beyond 3.35. Apply the update through the WordPress plugin dashboard (Plugins > Installed Plugins > Media Library Assistant > Update) or manually via SFTP/file manager. Test the update in a staging environment first to ensure no conflicts with other plugins or custom code. Clear any plugin caches after updating. Verify the update completed successfully by checking the plugin version string in the plugin editor or dashboard.

Detection guidance

Monitor WordPress audit logs for bulk delete, edit, or purge operations in the Media Library Assistant settings that lack corresponding admin actions in your change management records. Web Application Firewall (WAF) rules can be tuned to flag requests lacking valid nonce parameters in POST requests to the plugin's settings handlers. Review admin login sessions and referrer logs to identify sessions that originated from unexpected external domains. Security plugins such as Wordfence or Sucuri can alert on suspicious plugin modifications or bulk metadata operations.

Why prioritize this

Although the CVSS score of 8.1 reflects HIGH severity, practical exploitability is constrained by the requirement to socially engineer an administrator. However, the high integrity and availability impact—combined with the fact that WordPress administrators are frequent targets of phishing—warrants prompt patching. Sites with sensitive media libraries, those in regulated industries, or installations with less security-aware administrators should prioritize this update within their standard patch cycle (typically 1–2 weeks).

Risk score, explained

The CVSS 8.1 score reflects a network-accessible, low-complexity attack requiring no authentication, but contingent on user interaction. The integrity impact is rated HIGH because attackers can modify or delete settings and metadata; availability impact is HIGH because bulk purge operations can disrupt media workflows. Confidentiality is not affected. The overall severity is tempered slightly by the UI:R requirement, but remains HIGH due to the realistic likelihood that administrators can be socially engineered, combined with the real operational harm if settings are corrupted.

Frequently asked questions

Can an unauthenticated attacker exploit this without tricking an admin?

No. The attacker must socially engineer an administrator who is actively logged into WordPress to visit a malicious page or click a crafted link. The vulnerability cannot be exploited remotely against a logged-out user or if the admin never visits the attacker's content.

What exactly can an attacker do if they successfully exploit this?

An attacker can trigger bulk delete, edit, or purge operations on the plugin's settings and attachment metadata. This could result in loss of media library configurations, deletion of metadata, or unintended modifications to how the plugin behaves—but cannot grant the attacker direct access to the WordPress admin account or any other elevated permissions.

Are non-administrator users at risk?

No. The CSRF payload only functions when executed by an administrator (or higher-privileged user). Regular editors or contributors lack the permissions to trigger these bulk actions in Media Library Assistant settings, so the vulnerability is limited to the admin scope.

Is there a temporary workaround if we cannot patch immediately?

Yes. Restrict administrator access to WordPress from a trusted office network or VPN, and educate administrators not to click suspicious links while logged in. However, these are defensive measures, not substitutes for patching. Update the plugin as soon as feasible.

This analysis is provided for informational purposes and should not be considered a substitute for professional security assessment. Organizations should verify patch availability and compatibility with their specific WordPress configurations before deployment. The vulnerability details and affected versions stated here are based on the source CVE record; always cross-reference with the plugin vendor's official security advisory for the most current guidance. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance and recommends consulting with your security team or a managed security provider before taking action in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).