CVE-2026-54198

Vulnerability

The Media Library Assistant plugin for WordPress versions 3.35 and earlier contains a reflected Cross-Site Scripting (XSS) vulnerability. The flaw allows unauthenticated attackers to inject arbitrary HTML and JavaScript into the response, which will execute in the browser of a victim who visits a crafted link or submits a malicious form. The vulnerability requires user interaction, specifically a privileged user (e.g., administrator) to perform an action such as clicking a link or visiting a specially prepared page [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL or form that, when accessed by a logged-in administrator or other privileged user, reflects the injected payload back in the page. No authentication is required for the attacker to deliver the payload, but the victim must interact with the malicious link or form. Successful exploitation occurs when the victim triggers the crafted request, causing the browser to execute the attacker's script in the context of the WordPress admin interface [1].

Impact

Successful execution of the XSS payload allows an attacker to perform actions on behalf of the victim, such as creating new administrator accounts, altering site content, redirecting visitors to malicious sites, injecting advertisements, or exfiltrating sensitive data. The CVSS v3.1 base score is 7.1 (High), reflecting the potential for significant harm without requiring authentication from the attacker side [1].

Mitigation

The vulnerability is fixed in version 3.36 of the Media Library Assistant plugin. Users are strongly advised to update immediately to the patched version. As a workaround, Patchstack has released a virtual mitigation rule that blocks exploitation attempts until the update can be applied. No other workarounds are documented. The plugin vendor has confirmed the fix and recommends all installations be updated [1].