Cross-Site Request Forgery Threat in Media Library Assistant Plugin by WordPress
CVE-2026-6075

8.1HIGH

Key Information:

Vendor: WordPress
Status: Media Library Assistant
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-6075?

The Media Library Assistant plugin for WordPress is affected by a Cross-Site Request Forgery vulnerability due to inadequate nonce verification on bulk action handlers in the settings tab. This deficiency permits unauthenticated attackers to craft malicious requests, potentially deceiving administrators into executing unintended bulk actions such as delete, edit, or purge on plugin settings and attachment metadata, jeopardizing the integrity and security of site data.

Affected Version(s)

Media Library Assistant 0 <= 3.35

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/media-library-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

Jack Pas

CVE-2026-6075 Data

JSON