What the vulnerability does
01Description
The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
Explanation of Vulnerability in Simple Terms
02Summary
Media Library Folders versions 8.3.6 and earlier lack proper authorization checks, allowing authenticated users to modify folder data they should not have access to. An attacker with a low-privilege account can change folder properties or metadata without proper permission validation. The vulnerability affects the integrity of folder organization but does not expose sensitive data or disrupt availability.
What an attacker can do
03Attacker Capabilities
Modify media library folders and their properties without proper authorization.
Potential impact on your site
04Site Impact
Users with limited roles may alter folder structures and metadata intended for higher-privilege users only.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
February 14, 2026
CVE published
April 8, 2026
Record updated