CVE-2026-32399:

SQL injection vulnerability in Media Library Assistant WordPress plugin

Score
A numerical rating that indicates how dangerous this vulnerability is.

8.5High

Published Date:Mar 13, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.0
EPSS Percentile:8%

Exploitability

Score:3.1
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:LOW
User Interaction:NONE
Scope:CHANGED

Impact

Score:4.7
Confidentiality Impact:HIGH
Integrity Impact:NONE
Availability Impact:LOW

Description Preview

SQL injection vulnerability in Media Library Assistant WordPress plugin

Overview

The Media Library Assistant plugin, developed by David Lingren, contains a critical vulnerability classified as an Improper Neutralization of Special Elements used in an SQL Command, also known as SQL Injection. This flaw is tracked as CVE-2026-32399 and has been assigned a CVSS v3.1 base score of 8.5, indicating a high severity level. The vulnerability requires low attack complexity and can be exploited remotely over the network with low privileges and without user interaction. While the confidentiality impact is high, there is no impact on integrity, and a low impact on availability. The scope of the vulnerability is changed, suggesting potential effects beyond the vulnerable component.

Remediation

To mitigate this vulnerability, users of the Media Library Assistant plugin should immediately update to a version newer than 3.32, once available. In the meantime, it is advisable to disable the plugin if possible. Website administrators should also implement additional security measures such as web application firewalls, input validation, and regular security audits to detect and prevent SQL injection attempts. Monitoring database logs for suspicious activities is also recommended. It's crucial to follow WordPress security best practices, including keeping all plugins, themes, and core WordPress installations up to date.