CVE-2026-34885

High

Published: 06 April 2026

Published

06 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0610 90.8th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SQL injection by requiring validation and sanitization of untrusted inputs used in SQL commands within the Media Library Assistant plugin.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific SQL injection flaw in Media Library Assistant versions through 3.34 via patching or upgrades.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Enables vulnerability scanning to identify and remediate SQL injection vulnerabilities like CVE-2026-34885 in WordPress plugins before exploitation.

Security SummaryAI

CVE-2026-34885 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Media Library Assistant WordPress plugin developed by David Lingren. This issue impacts versions from n/a through 3.34. Published on 2026-04-06T15:17:11.130, it carries a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

Low-privileged authenticated users can exploit this vulnerability remotely with low attack complexity and no user interaction required. Exploitation allows attackers to achieve high confidentiality impact, such as unauthorized access to sensitive data, and low availability impact, with the scope changing to affect other system components.

The Patchstack advisory provides further details on the vulnerability in the Media Library Assistant plugin version 3.34, available at https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in a WordPress plugin enables exploitation of a public-facing application (T1190) and facilitates unauthorized data access from databases (T1213.006), matching the high confidentiality impact via remote exploitation by low-privileged users.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve
audit@patchstack.com