CVE-2026-34885
Published: 06 April 2026
Summary
CVE-2026-34885 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2026-34885 is an SQL injection issue (CWE-89) caused by improper neutralization of special elements in SQL commands. It affects the Media Library Assistant plugin for WordPress, impacting all versions through 3.34.
Authenticated users with low privileges can exploit the flaw over a network connection to achieve high confidentiality impact and limited availability impact, with changed scope allowing effects beyond the immediate component.
The Patchstack advisory at the referenced URL documents the SQL injection vulnerability in Media Library Assistant version 3.34. The EPSS score remains flat at 0.0806 with no material rise observed.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19309
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a WordPress plugin enables exploitation of a public-facing application (T1190) and facilitates unauthorized data access from databases (T1213.006), matching the high confidentiality impact via remote exploitation by low-privileged users.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation and sanitization of untrusted inputs used in SQL commands within the Media Library Assistant plugin.
Requires timely remediation of the specific SQL injection flaw in Media Library Assistant versions through 3.34 via patching or upgrades.
Enables vulnerability scanning to identify and remediate SQL injection vulnerabilities like CVE-2026-34885 in WordPress plugins before exploitation.