CVE-2026-34885
published 2026-04-06CVE-2026-34885: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL…
PriorityP263high8.5CVSS 3.1
AVNACLPRLUINSCCHINAL
EXPLOIT
EPSS
1.67%
73.8th percentile
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| david_lingren | media_library_assistant | n/a – 3.34 | — |
Detection & IOCsextracted from sources · hover to see the quote
command[mla_custom_list meta_key="_wp_attached_file" fields="(SELECT CONCAT(0x7170787871,md5({{num}}),0x7171787171)) AS meta_value" no_count="true"]↗
bytes↗
0x7170787871
bytes↗
0x7171787171
- →Probe for plugin presence by requesting the readme.txt file and checking for 'Media Library Assistant' and 'Stable tag:' strings in the response body. ↗
- →Successful authentication is confirmed by the presence of 'wordpress_logged_in' in the response header after POST to /wp-login.php. ↗
- →The SQLi payload is injected via the WordPress REST API POST /wp-json/wp/v2/posts endpoint using the [mla_custom_list] shortcode with a crafted 'fields' parameter containing a SQL CONCAT/md5 canary. Confirm exploitation by checking the rendered post body for the md5 canary value. ↗
- →The attack requires an authenticated session (Subscriber-level or above); a nonce is retrieved from /wp-admin/admin-ajax.php?action=rest-nonce and passed as X-WP-Nonce header in the exploit request. ↗
- →Monitor POST requests to /wp-json/wp/v2/posts whose JSON body contains 'mla_custom_list' with a 'fields' parameter embedding raw SQL (e.g., SELECT, CONCAT, 0x hex literals). ↗
- ·Exploit requires an authenticated WordPress user (PR:L); unauthenticated exploitation is not possible per the CVSS vector. ↗
- ·Vulnerability affects Media Library Assistant versions up to and including 3.34; versions beyond 3.34 are remediated. ↗
- ·The nuclei template uses a 5-step flow (version check → login → nonce fetch → exploit → validation); all prior steps must succeed for the SQLi step to execute. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress Media Library Assistant <= 3.34 - SQL Injection
nuclei·CVSS 8.5
CVE-2026-34885 [HIGH] WordPress Media Library Assistant <= 3.34 - SQL Injection
WordPress Media Library Assistant <= 3.34 - SQL Injection
David Lingren Media Library Assistant <= 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
Template:
id: CVE-2026-34885
info:
name: WordPress Media Library Assistant <= 3.34 - SQL Injection
author: theamanrawat
severity: high
description: |
David Lingren Media Library Assistant <= 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
impact: |
Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.
remediation: |
Up
No writeups or analysis indexed.
2026-04-06
Published