CVE-2026-2312 MEDIUM

CVE-2026-2312: Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename

Vendor Maxfoundry
Product Media Library Folders
Weakness CWE-862 · Missing authorization
Published February 14, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.

Explanation of Vulnerability in Simple Terms

02Summary

Media Library Folders versions 8.3.6 and earlier lack proper authorization checks, allowing authenticated users to modify folder data they should not have access to. An attacker with a low-privilege account can change folder properties or metadata without proper permission validation. The vulnerability affects the integrity of folder organization but does not expose sensitive data or disrupt availability.

What an attacker can do

03Attacker Capabilities

Modify media library folders and their properties without proper authorization.

Potential impact on your site

04Site Impact

Users with limited roles may alter folder structures and metadata intended for higher-privilege users only.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account on the site.

Key dates

06Disclosure timeline

February 14, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE