CVE-2026-6075 Overview
CVE-2026-6075 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Media Library Assistant plugin for WordPress in all versions up to and including 3.35. The flaw exists because bulk action handlers in the plugin's settings tab handlers omit nonce verification. Unauthenticated attackers can craft malicious requests that, when triggered by an authenticated administrator, perform bulk delete, edit, or purge operations on plugin settings and attachment metadata. The issue is tracked under CWE-352.
Critical Impact
Successful exploitation enables attackers to destroy or modify attachment metadata and plugin configuration on affected WordPress sites by tricking administrators into clicking a crafted link.
Affected Products
- Media Library Assistant plugin for WordPress, versions up to and including 3.35
- WordPress installations with the affected plugin active
- Administrator accounts authenticated to vulnerable sites
Discovery Timeline
- 2026-05-29 - CVE-2026-6075 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-6075
Vulnerability Analysis
The Media Library Assistant plugin exposes administrative bulk action handlers across multiple settings tabs, including custom fields, IPTC/EXIF, and view tabs. These handlers process state-changing requests without validating a WordPress nonce token. As a result, the server cannot distinguish a legitimate administrator-initiated request from a forged cross-origin request.
An attacker hosts a page containing a form or script targeting the vulnerable endpoints. When an authenticated administrator visits the attacker-controlled page, the browser submits the request using the administrator's session cookies. The plugin processes the request as if the administrator had authorized it. User interaction is required, which is reflected in the CVSS vector component UI:R.
Root Cause
The root cause is missing nonce verification on bulk action handlers in class-mla-settings-custom-fields-tab.php, class-mla-settings-iptc-exif-tab.php, class-mla-settings-view-tab.php, and class-mla-settings.php. WordPress provides wp_verify_nonce() and check_admin_referer() specifically to prevent CSRF on privileged actions, and these checks were absent from the affected code paths. See the WordPress MLA Changeset 3494141 for the upstream fix.
Attack Vector
The attack is network-based and requires no privileges on the target site. The attacker must convince a logged-in administrator to visit a malicious page or click a crafted link. Once triggered, the forged request invokes bulk delete, edit, or purge operations against plugin settings and attachment metadata, causing integrity and availability impact on the targeted WordPress installation.
No verified public exploit code is available at this time. Technical details of the vulnerable code paths are documented in the Wordfence advisory.
Detection Methods for CVE-2026-6075
Indicators of Compromise
- Unexpected deletion or modification of attachment metadata and custom fields in the WordPress media library.
- Plugin settings for Media Library Assistant reverting to defaults or showing unauthorized changes.
- Administrator session activity in web server logs immediately following an external referrer from an untrusted domain.
Detection Strategies
- Inspect access logs for POST requests to wp-admin/options-general.php?page=mla-settings-menu* originating from external referrers.
- Review WordPress audit logs for bulk delete, edit, or purge operations performed by administrators outside normal maintenance windows.
- Identify version 3.35 or earlier of the Media Library Assistant plugin through a software inventory scan.
Monitoring Recommendations
- Enable a WordPress audit logging plugin to record plugin setting changes and bulk media operations.
- Monitor HTTP Referer and Origin headers on administrative endpoints and alert on cross-origin POST submissions.
- Track plugin version drift across managed WordPress sites and flag installations still running vulnerable releases.
How to Mitigate CVE-2026-6075
Immediate Actions Required
- Update the Media Library Assistant plugin to a version newer than 3.35 that includes nonce verification on bulk action handlers.
- Restrict administrator browsing habits while authenticated to WordPress, and require separate browser profiles for administrative tasks.
- Audit attachment metadata and plugin settings to confirm no unauthorized bulk operations have occurred.
Patch Information
The vendor addressed the issue in the version change from 3.34 to 3.35 and subsequent releases. Administrators should apply the latest plugin update available in the WordPress plugin repository. Refer to the Wordfence Vulnerability Record for vendor remediation references.
Workarounds
- Deactivate the Media Library Assistant plugin until the patched version is installed.
- Deploy a web application firewall (WAF) rule that blocks cross-origin POST requests to the plugin's settings endpoints.
- Enforce SameSite cookie attributes on WordPress authentication cookies to reduce CSRF exposure from third-party sites.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
