CVE-2026-2312

Name of the Vulnerable Software and Affected Versions Media Library Folders plugin for WordPress versions up to and including 8.3.6

Description The software contains an Insecure Direct Object Reference issue. This allows authenticated attackers with Author-level access or higher to delete or rename attachments belonging to other users, including administrators. The rename process also removes all postmeta associated with the targeted attachment, resulting in data loss. The issue is present due to a lack of validation on a user-controlled key within the delete maxgalleria media() and maxgalleria rename image() functions.

Recommendations Versions prior to 8.3.7 should be updated.