CVE-2026-6075

Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form

highCross-Site Request Forgery (CSRF)
8.1
CVSS Score
8.1
CVSS Score
high
Severity
3.36
Patched in
1d
Time to patch

Description

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.35
PublishedMay 28, 2026
Last updatedMay 29, 2026

What Changed in the Fix

Changes introduced in v3.36

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, technical research guides, or proof-of-concept payloads targeting specific vulnerabilities in real-world software or plugins. Instead, I can provide a general overview of Cross-Site Request Forgery (CSRF) …

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, technical research guides, or proof-of-concept payloads targeting specific vulnerabilities in real-world software or plugins.

Instead, I can provide a general overview of Cross-Site Request Forgery (CSRF) in the context of WordPress development and the defensive practices used to mitigate such risks.

Understanding CSRF in WordPress

Cross-Site Request Forgery (CSRF) occurs when a web application performs an action on behalf of a user without verifying that the user intended to initiate that action. In a WordPress context, this often happens when an administrator is logged into the dashboard and visits a malicious website or clicks a link that triggers a hidden request to their own site.

If the WordPress plugin does not verify the origin and intent of the request, it might execute privileged actions—such as changing settings, deleting content, or creating users—using the administrator's existing session.

Defensive Mechanisms: Nonces

The primary defense against CSRF in WordPress is the use of Nonces (Numbers used once). In WordPress, nonces are cryptographic tokens tied to a specific user, action, and time window.

1. Generation

When a plugin generates a form or a link for a privileged action, it includes a nonce:

  • In Forms: wp_nonce_field( 'my_action_string', 'my_nonce_name' );
  • In URLs: wp_nonce_url( $base_url, 'my_action_string', 'my_nonce_name' );

2. Verification

When the request is processed on the server, the plugin must verify the nonce before executing any logic:

  • In Admin Pages: check_admin_referer( 'my_action_string', 'my_nonce_name' );
  • In AJAX Handlers: check_ajax_referer( 'my_action_string', 'my_nonce_name' );
  • Generic Verification: wp_verify_nonce( $_REQUEST['my_nonce_name'], 'my_action_string' );

If verification fails, WordPress immediately terminates the request, preventing the unauthorized action.

Common Implementation Errors

CSRF vulnerabilities typically arise from:

  1. Missing Verification: Processing $_POST or $_GET data for state-changing actions without calling a verification function.
  2. Conditional Verification: Wrapping the verification check in logic that can be bypassed (e.g., checking the nonce only if it is present in the request).
  3. Capability Check Omission: Relying solely on a nonce without also verifying the user's capabilities via current_user_can(). Nonces prevent CSRF, but capability checks prevent unauthorized access by lower-privileged users.

Security Best Practices for Researchers

If you are investigating or managing WordPress security, I recommend consulting the following official resources:

  • WordPress Plugin Handbook (Security Section): Provides comprehensive guides on nonces, data validation, and sanitization.
  • OWASP (Cross-Site Request Forgery): Offers general principles for understanding and mitigating CSRF across various web frameworks.
  • CVE Databases (NVD/MITRE): For understanding the nature of reported vulnerabilities and the specific patches applied by developers.

To address the specific vulnerability mentioned (CVE-2026-6075), users should ensure the Media Library Assistant plugin is updated to version 3.36 or higher, where proper nonce verification has been implemented.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 3.35 due to missing nonce verification in its bulk action handlers within the plugin settings tabs. This allows unauthenticated attackers to perform bulk operations, such as deleting or editing plugin settings and attachment metadata, by tricking a logged-in administrator into clicking a malicious link or visiting a crafted webpage.

Vulnerable Code

// includes/class-mla-settings-custom-fields-tab.php line 664
		// Process bulk actions that affect an array of items
		$bulk_action = MLASettings::mla_current_bulk_action();
		if ( $bulk_action && ( $bulk_action != 'none' ) ) {
			if ( array_key_exists( $bulk_action, MLA_Custom_Fields_List_Table::mla_get_bulk_actions() ) ) {

---

// includes/class-mla-settings-image-tab.php line 321
		// Process bulk actions that affect an array of items
		$bulk_action = MLASettings::mla_current_bulk_action();
		if ( $bulk_action && ( $bulk_action !== 'none' ) ) {
			if ( isset( $_REQUEST['cb_mla_item_ID'] ) ) {

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.35/includes/class-mla-settings-custom-fields-tab.php /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.36/includes/class-mla-settings-custom-fields-tab.php
--- /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.35/includes/class-mla-settings-custom-fields-tab.php	2026-03-30 00:02:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.36/includes/class-mla-settings-custom-fields-tab.php	2026-05-06 00:55:44.000000000 +0000
@@ -662,7 +662,9 @@
 
 		// Process bulk actions that affect an array of items
 		$bulk_action = MLASettings::mla_current_bulk_action();
-		if ( $bulk_action && ( $bulk_action != 'none' ) ) {
+		if ( $bulk_action && ( $bulk_action !== 'none' ) ) {
+			check_admin_referer( MLACore::MLA_ADMIN_NONCE_ACTION, MLACore::MLA_ADMIN_NONCE_NAME );
+
 			if ( array_key_exists( $bulk_action, MLA_Custom_Fields_List_Table::mla_get_bulk_actions() ) ) {
 				if ( isset( $_REQUEST['cb_mla_item_ID'] ) ) {
 					$post_ids = !empty( $_REQUEST['cb_mla_item_ID'] ) ? array_map( 'absint', stripslashes_deep( $_REQUEST['cb_mla_item_ID'] ) ) : array();
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.35/includes/class-mla-settings-image-tab.php /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.36/includes/class-mla-settings-image-tab.php
--- /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.35/includes/class-mla-settings-image-tab.php	2026-01-28 01:09:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/media-library-assistant/3.36/includes/class-mla-settings-image-tab.php	2026-04-11 00:49:00.000000000 +0000
@@ -320,6 +320,8 @@
 		// Process bulk actions that affect an array of items
 		$bulk_action = MLASettings::mla_current_bulk_action();
 		if ( $bulk_action && ( $bulk_action !== 'none' ) ) {
+			check_admin_referer( MLACore::MLA_ADMIN_NONCE_ACTION, MLACore::MLA_ADMIN_NONCE_NAME );
+
 			if ( isset( $_REQUEST['cb_mla_item_ID'] ) ) {
 				// Convert post-ID to slug; separate loop required because delete changes post_IDs
 				$slugs = array();

Exploit Outline

The exploit targets the plugin's settings pages (Custom Fields, Image, and IPTC/EXIF tabs) which process bulk actions via the `MLASettings::mla_current_bulk_action()` method. An attacker crafts a malicious HTML page that contains a hidden form or a script to initiate a POST or GET request to the WordPress admin panel (specifically `wp-admin/options-general.php?page=mla-settings-menu`). The payload includes parameters for a bulk action (e.g., `action=delete`) and the target item IDs (e.g., `cb_mla_item_ID[]=123`). Because version 3.35 lacks nonce verification using `check_admin_referer()`, the request is processed using the session of the logged-in administrator, leading to unauthorized state-changing operations.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.