High severity8.1NVD Advisory· Published May 29, 2026· Updated May 29, 2026
CVE-2026-6075
CVE-2026-6075
Description
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<= 3.35+ 1 more
- (no CPE)range: <= 3.35
- (no CPE)range: <=3.35
Patches
Vulnerability mechanics
References
11- plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-custom-fields-tab.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-iptc-exif-tab.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-view-tab.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-custom-fields-tab.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-iptc-exif-tab.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-view-tab.phpnvd
- plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings.phpnvd
- plugins.trac.wordpress.org/changeset/3494141/media-library-assistant/trunk/includes/class-mla-settings-custom-fields-tab.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/0e399651-8992-4949-b7a7-4e8ce199b47anvd
News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026
- WordPress Plugin Batch: 25 CVEs Across 20+ Plugins Disclosed in Late May 2026Vypr Intelligence · May 31, 2026