cbcvebase.
CVE-2026-34885
published 2026-04-06

CVE-2026-34885: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL…

PriorityP263high8.5CVSS 3.1
AVNACLPRLUINSCCHINAL
EXPLOIT
EPSS
1.67%
73.8th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.

Affected

1 ranges
VendorProductVersion rangeFixed in
david_lingrenmedia_library_assistantn/a – 3.34

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/media-library-assistant/readme.txt
url/wp-admin/admin-ajax.php?action=rest-nonce
url/wp-json/wp/v2/posts
path/wp-content/plugins/media-library-assistant/
command[mla_custom_list meta_key="_wp_attached_file" fields="(SELECT CONCAT(0x7170787871,md5({{num}}),0x7171787171)) AS meta_value" no_count="true"]
bytes
0x7170787871
bytes
0x7171787171
  • Probe for plugin presence by requesting the readme.txt file and checking for 'Media Library Assistant' and 'Stable tag:' strings in the response body.
  • Successful authentication is confirmed by the presence of 'wordpress_logged_in' in the response header after POST to /wp-login.php.
  • The SQLi payload is injected via the WordPress REST API POST /wp-json/wp/v2/posts endpoint using the [mla_custom_list] shortcode with a crafted 'fields' parameter containing a SQL CONCAT/md5 canary. Confirm exploitation by checking the rendered post body for the md5 canary value.
  • The attack requires an authenticated session (Subscriber-level or above); a nonce is retrieved from /wp-admin/admin-ajax.php?action=rest-nonce and passed as X-WP-Nonce header in the exploit request.
  • Monitor POST requests to /wp-json/wp/v2/posts whose JSON body contains 'mla_custom_list' with a 'fields' parameter embedding raw SQL (e.g., SELECT, CONCAT, 0x hex literals).
  • ·Exploit requires an authenticated WordPress user (PR:L); unauthenticated exploitation is not possible per the CVSS vector.
  • ·Vulnerability affects Media Library Assistant versions up to and including 3.34; versions beyond 3.34 are remediated.
  • ·The nuclei template uses a 5-step flow (version check → login → nonce fetch → exploit → validation); all prior steps must succeed for the SQLi step to execute.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.