CVE-2026-6075: Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
HarborGuard Analysis
HarborGuard analysisSynopsis
A cross-site request forgery vulnerability in the Media Library Assistant WordPress plugin (versions 3.35 and earlier) lets a remote attacker forge requests that target an authenticated administrator. The bulk action handlers in the settings tab skip nonce verification, so an admin who visits an attacker-controlled page while logged in can be made to delete, edit, or purge plugin settings and attachment metadata without consent. Successful exploitation tampers with site configuration and stored media records and can disrupt the media library, and HarborGuard tracks the advisory for patch availability since no fixed version has been published yet.
HarborGuard Coverage
Detection is available across every HarborGuard environment, with CVE-2026-6075 ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines. Coverage includes custom-built images that bundle the Media Library Assistant plugin, even when the plugin is layered in at build time.
AvailableTriage is available with the published CVSS v3.1 score of 8.1 (HIGH) weighted against each customer's compliance policy, so environments with stricter posture surface this faster. Findings route to the inbox configured for WordPress plugin advisories inside each customer org.
AvailableNo upstream fix has been published, so HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment dglingren ships a fixed Media Library Assistant release. Auto-remediation customers will then automatically receive the rebuild, a regression test run, and a PR opened against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker needs to deliver a forged request that reaches the WordPress admin over the network, typically by luring the administrator to a hostile page.
- AuthenticationNot required
The attacker themselves does not authenticate; the forged request rides on the victim administrator's existing session.
- Victim interactionRequired
An authenticated administrator must visit or interact with attacker-controlled content while logged into the WordPress site.
- Attack complexityDetail
Attack complexity is low: the missing nonce check makes the forged bulk action reliable without race conditions or environmental tuning.
Blast Radius
- Modifies persisted Media Library Assistant plugin settings on the WordPress site.
- Deletes, edits, or purges attachment metadata records in the media library.
- Disrupts availability of the media library and any site features that depend on those attachments or plugin configuration.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of CVE-2026-6075 with daily re-checks against the dglingren advisory feed, so a patched-image rebuild becomes available the moment a fixed Media Library Assistant release ships. In the meantime, compensating controls are surfaced for affected environments, including restricting WordPress admin access by IP or VPN, enforcing SameSite cookie posture, and gating the plugin behind a feature flag where compliance policy permits. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once an upstream fix is published.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- dglingren / Media Library Assistant≤ 3.35
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H