CVE-2026-6075

Vulnerability

The Media Library Assistant (MLA) plugin for WordPress, in versions up to and including 3.35, is vulnerable to Cross-Site Request Forgery (CSRF) due to missing nonce verification on the bulk action handlers in the settings tab handlers [1][2][3][4]. Specifically, the bulk delete, edit, and purge operations on plugin settings (IPTC/EXIF rules, custom field rules) and attachment metadata lack a nonce check, allowing an attacker to craft a forged request that, when executed by an authenticated administrator, performs unintended operations.

Exploitation

An unauthenticated attacker can craft a malicious link or form that triggers a forged request. To exploit this, the attacker must trick an administrator into making a request while logged into WordPress—typically via social engineering (e.g., phishing email) or by embedding the request in a third-party site visited by the admin. No direct network access to the WordPress admin is required; the attacker only needs to deliver the crafted request to the victim.

Impact

Successful exploitation allows the attacker to perform bulk deletions, edits, or purges of plugin settings and attachment metadata as the victim administrator. This can disrupt the plugin's functionality, remove custom rules, and potentially clear metadata associated with media items. The CVSS v3 score is 8.1 (High), reflecting the ability to cause significant data loss or configuration changes without direct authentication.

Mitigation

A fix was committed in changeset 3494141 [4] which adds nonce verification to the bulk action handlers in class-mla-settings-custom-fields-tab.php and similar files. The patched version is expected to be released as 3.35.1 or later. Users should update to the latest available version as soon as it is released. No workarounds are documented; restricting admin-level access to trusted users only can reduce risk, but does not eliminate the CSRF vector.