Insecure Direct Object Reference Vulnerability in Media Library Folders Plugin for WordPress
CVE-2026-2312
4.3MEDIUM
What is CVE-2026-2312?
The Media Library Folders plugin for WordPress experiences a vulnerability due to inadequate validation in its delete_maxgalleria_media() and maxgalleria_rename_image() functions. Authenticated users with Author-level access and higher can exploit this weakness to delete or rename attachments owned by other users, including those with administrative privileges. Furthermore, the process of renaming an attachment leads to the deletion of all associated postmeta, resulting in potential data loss for the affected users.
Affected Version(s)
Media Library Folders 0 <= 8.3.6