How is CVE-2026-54198 exploited?

Network reachability (required): The attacker must reach the target WordPress site over the network to deliver the malicious URL. Authentication (not-required): No account or login is needed; the vulnerability is exploitable by any unauthenticated party. Victim interaction (required): The victim must click a crafted link or otherwise be socially engineered into triggering the reflected payload in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental prerequisites.

What is the impact of CVE-2026-54198?

An attacker can execute arbitrary JavaScript in the victim's browser session, reading stored cookies, session tokens, or other data accessible to page scripts. Injected script can modify page content visible to the victim, including form fields and displayed data. Because the CVSS scope is Changed, impact can extend beyond the vulnerable plugin's own context into other browser-accessible origins or components on the same WordPress installation. The availability impact rating indicates the attacker can disrupt the rendered page or degrade the victim's browsing session on the affected site.

Back to search

HIGHCVE-2026-54198Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-54198: WordPress Media LIbrary Assistant plugin <= 3.35 - Reflected Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-54198?

Reflected Cross-Site Scripting (XSS) in the WordPress Media Library Assistant plugin (versions 3.35 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The vulnerability is reachable over the network and requires no login, but does require the victim to follow a specially crafted URL. Successful exploitation enables the attacker to read or modify page content in the victim's browser session and potentially disrupt the affected page, with impact extending beyond the origin due to the Changed scope. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-54198 patched?

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Media Library Assistant maintainer ships a remediated release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without additional manual steps.

Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) in the WordPress Media Library Assistant plugin (versions 3.35 and earlier) allows an unauthenticated remote attacker to inject malicious JavaScript into a victim's browser by tricking them into clicking a crafted link. The vulnerability is reachable over the network and requires no login, but does require the victim to follow a specially crafted URL. Successful exploitation enables the attacker to read or modify page content in the victim's browser session and potentially disrupt the affected page, with impact extending beyond the origin due to the Changed scope. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images and pipeline builds, including custom WordPress images that bundle this plugin. Coverage extends to any registry or CI pipeline connected to HarborGuard.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the Media Library Assistant maintainer ships a remediated release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without additional manual steps.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target WordPress site over the network to deliver the malicious URL.
AuthenticationNot required
No account or login is needed; the vulnerability is exploitable by any unauthenticated party.
Victim interactionRequired
The victim must click a crafted link or otherwise be socially engineered into triggering the reflected payload in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race windows, or environmental prerequisites.

Blast Radius

An attacker can execute arbitrary JavaScript in the victim's browser session, reading stored cookies, session tokens, or other data accessible to page scripts.
Injected script can modify page content visible to the victim, including form fields and displayed data.
Because the CVSS scope is Changed, impact can extend beyond the vulnerable plugin's own context into other browser-accessible origins or components on the same WordPress installation.
The availability impact rating indicates the attacker can disrupt the rendered page or degrade the victim's browsing session on the affected site.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-54198 is active and matched against any image that bundles Media Library Assistant 3.35 or earlier, including custom WordPress images. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory and the plugin's release channel on every ingest cycle. The moment a patched version is published, a rebuilt image becomes available automatically. For customers with auto-remediation enabled, that triggers a full rebuild, a regression-test run, and a PR opened against affected workloads. While awaiting a patch, compensating controls worth considering include web-application firewall rules that strip or encode reflected query parameters, network-policy isolation that limits which internal services the WordPress pod can reach, and restricting unauthenticated access to affected plugin endpoints via your ingress configuration where operationally feasible.

See how HarborGuard automates this

Affected packages

David Lingren / Media LIbrary Assistant
≤ 3.35

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified