CVE-2026-2312
Insecure Direct Object Reference in Media Library Folders Plugin Allows Data Loss
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| media_library_folders | media_library_folders | to 8.3.6 (inc) |
| media_library_plus | media_library_plus | 8.3.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Media Library Folders plugin for WordPress has an Insecure Direct Object Reference vulnerability in all versions up to and including 8.3.6. This vulnerability exists in the delete_maxgalleria_media() and maxgalleria_rename_image() functions because they do not properly validate a user-controlled key.
As a result, authenticated attackers with Author-level access or higher can delete or rename attachments owned by other users, including administrators. Additionally, the rename process deletes all postmeta data for the targeted attachment, which can lead to data loss.
How can this vulnerability impact me? :
This vulnerability allows attackers with Author-level access or above to delete or rename media attachments belonging to other users, including administrators.
The rename operation also deletes all associated postmeta data for the targeted attachment, potentially causing significant data loss.
Such unauthorized modifications can disrupt website content management, cause loss of important media files, and undermine trust in the integrity of the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability affects all versions of the Media Library Folders plugin up to and including 8.3.6. An immediate mitigation step is to update the plugin to version 8.3.7 or later, which is a major release that likely addresses this issue.
Additionally, restrict Author-level access and above to trusted users only, as the vulnerability requires authenticated users with at least Author-level privileges.