{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34885", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-31T09:57:17.718Z", "datePublished": "2026-04-06T14:47:31.754Z", "dateUpdated": "2026-04-06T15:24:38.062Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-06T14:47:31.754Z"}, "title": "WordPress Media LIbrary Assistant plugin <= 3.34 - SQL Injection vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "affected": [{"vendor": "David Lingren", "product": "Media LIbrary Assistant", "collectionURL": "https://wordpress.org/plugins", "packageName": "media-library-assistant", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "3.34", "changes": [{"at": "3.35", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.<p>This issue affects Media LIbrary Assistant: from n/a through 3.34.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 8.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.35).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.35)."}]}], "credits": [{"lang": "en", "value": "Sajjad Haqi | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T15:23:52.004734Z", "id": "CVE-2026-34885", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:24:38.062Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T15:23:52.004734Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T15:24:30.730Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Media LIbrary Assistant plugin <= 3.34 - SQL Injection vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Sajjad Haqi | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "David Lingren", "product": "Media LIbrary Assistant", "versions": [{"status": "affected", "changes": [{"at": "3.35", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.34"}], "packageName": "media-library-assistant", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.35).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Media LIbrary Assistant Plugin to the latest available version (at least 3.35).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.<p>This issue affects Media LIbrary Assistant: from n/a through 3.34.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-06T14:47:31.754Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34885", "state": "PUBLISHED", "dateUpdated": "2026-04-06T15:24:38.062Z", "dateReserved": "2026-03-31T09:57:17.718Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-06T14:47:31.754Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34."}], "id": "CVE-2026-34885", "lastModified": "2026-04-24T18:08:35.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-06T15:17:11.130", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.34]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "Media LIbrary Assistant", "source": "cna", "vendor": "David Lingren"}, "product": "media_library_assistant", "vendor": "davidlingren"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T08:46:00.092094+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch by upgrading the Media Library Assistant plugin to version 3.35 or later.", "If an immediate upgrade is not feasible, disable or uninstall the Media Library Assistant plugin to remove the attack surface.", "Configure the WordPress database user with the least privilege required for normal operation, limiting the tables that can be accessed by the plugin."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "David Lingren Media Library Assistant for WordPress is affected, on every release up to and including version 3.34. A WordPress site that has not upgraded past this version is vulnerable.", "description_and_impact": "The vulnerability is caused by improper neutralization of special elements in a SQL command, allowing attackers to inject arbitrary SQL statements into the database through the Media Library Assistant plugin. This can result in unauthorized data read, modification, or deletion, compromising the confidentiality and integrity of the site's data. The weakness is a classic SQL injection flaw, identified as CWE\u201189.", "risk_and_exploitability": "The CVSS score of 8.5 classifies this as a high severity vulnerability. While the EPSS score is 6% and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation remains high because the affected code is reachable via the web interface of a WordPress plugin. An attacker who can craft a request to the vulnerable endpoint can inject SQL and potentially gain full read/write access to the database table used by Media Library Assistant. The attack does not require additional permissions beyond access to the web application, so it is feasible for remote adversaries with knowledge of the site structure."}}}}, "created": "2026-04-06T20:14:23.974261+00:00", "updated": "2026-04-28T09:00:06.515227+00:00", "vendors": ["davidlingren", "davidlingren$PRODUCT$media_library_assistant", "wordpress", "wordpress$PRODUCT$wordpress"]}