Description
The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
Published: 2026-02-14
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted deletion or renaming of media attachments causing data loss
Action: Patch Plugin
AI Analysis

Impact

The Media Library Folders plugin for WordPress contains an insecure direct object reference flaw, a CWE-862 (Missing Authorization), that allows authenticated users with author or higher privileges to delete or rename any media attachment belonging to other users. The underlying delete_maxgalleria_media() and maxgalleria_rename_image() functions do not validate a user‑controlled key, so an attacker can target attachments owned by anyone, including administrators. In addition to removal, the rename operation deletes all postmeta associated with the attachment, resulting in loss of related metadata.

Affected Systems

All releases of the MaxFoundry Media Library Folders plugin for WordPress up to and including version 8.3.6 are affected. No alternative vendors or products are mentioned in the advisory.

Risk and Exploitability

The CVSS v3 base score of 4.3 reflects a low‑to‑medium severity; the EPSS score is below 1 %, indicating a small likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a logged‑in user with author or higher role who can issue a crafted request to the affected endpoints with the attachment ID of another user. Based on the description, it is inferred that remote exploitation is not possible; the attack vector requires authenticated web requests within the WordPress installation.

Generated by OpenCVE AI on April 15, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Media Library Folders to a version that addresses the insecure direct object reference (v8.3.7 or later).
  • Restrict the author capability to delete or rename media files by using a role‑editor plugin or custom capability configuration.
  • If an update is not immediately available, consider deactivating the plugin or restoring a previous backup before actively using the plugin.

Generated by OpenCVE AI on April 15, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Maxfoundry
Maxfoundry media Library Folders
Wordpress
Wordpress wordpress
Vendors & Products Maxfoundry
Maxfoundry media Library Folders
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
Title Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Maxfoundry Media Library Folders
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:55.974Z

Reserved: 2026-02-10T21:49:00.293Z

Link: CVE-2026-2312

cve-icon Vulnrichment

Updated: 2026-02-17T21:21:09.072Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T12:15:56.123

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2312

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses