{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2312", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T21:49:00.293Z", "datePublished": "2026-02-14T11:24:28.662Z", "dateUpdated": "2026-04-08T17:23:55.974Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:23:55.974Z"}, "affected": [{"vendor": "maxfoundry", "product": "Media Library Folders", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.3.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss."}], "title": "Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccf77cb1-b6b6-49de-8de4-20eddd3b5e62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3459947/media-library-plus"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "shivanandsnaidu"}], "timeline": [{"time": "2026-02-10T22:04:55.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-13T22:18:24.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T21:21:05.442020Z", "id": "CVE-2026-2312", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T21:21:12.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T21:21:05.442020Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T21:21:09.072Z"}}], "cna": {"title": "Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename", "credits": [{"lang": "en", "type": "finder", "value": "shivanandsnaidu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "maxfoundry", "product": "Media Library Folders", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "8.3.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-10T22:04:55.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-13T22:18:24.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccf77cb1-b6b6-49de-8de4-20eddd3b5e62?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3459947/media-library-plus"}], "descriptions": [{"lang": "en", "value": "The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-14T11:24:28.662Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2312", "state": "PUBLISHED", "dateUpdated": "2026-02-17T21:21:12.355Z", "dateReserved": "2026-02-10T21:49:00.293Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T11:24:28.662Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss."}, {"lang": "es", "value": "El plugin Media Library Folders para WordPress es vulnerable a Referencia Directa Insegura a Objeto en todas las versiones hasta la 8.3.6, inclusive, a trav\u00e9s de las funciones delete_maxgalleria_media() y maxgalleria_rename_image() debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite a atacantes autenticados, con acceso de nivel Autor y superior, eliminar o renombrar archivos adjuntos propiedad de otros usuarios (incluidos los administradores). El flujo de renombrado tambi\u00e9n elimina todos los postmeta para el archivo adjunto objetivo, causando p\u00e9rdida de datos."}], "id": "CVE-2026-2312", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T12:15:56.123", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3459947/media-library-plus"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ccf77cb1-b6b6-49de-8de4-20eddd3b5e62?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.3.6]"}}], "product": "media_library_folders", "vendor": "maxfoundry"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:35:50.302618+00:00", "value": {"mitigation_remediation": ["Upgrade Media Library Folders to a version that addresses the insecure direct object reference (v8.3.7 or later).", "Restrict the author capability to delete or rename media files by using a role\u2011editor plugin or custom capability configuration.", "If an update is not immediately available, consider deactivating the plugin or restoring a previous backup before actively using the plugin."], "summary": {"action": "Patch Plugin", "impact": "Unrestricted deletion or renaming of media attachments causing data loss"}, "threat_synthesis": {"affected_systems": "All releases of the MaxFoundry Media Library Folders plugin for WordPress up to and including version 8.3.6 are affected. No alternative vendors or products are mentioned in the advisory.", "description_and_impact": "The Media Library Folders plugin for WordPress contains an insecure direct object reference flaw, a CWE-862 (Missing Authorization), that allows authenticated users with author or higher privileges to delete or rename any media attachment belonging to other users. The underlying delete_maxgalleria_media() and maxgalleria_rename_image() functions do not validate a user\u2011controlled key, so an attacker can target attachments owned by anyone, including administrators. In addition to removal, the rename operation deletes all postmeta associated with the attachment, resulting in loss of related metadata.", "risk_and_exploitability": "The CVSS v3 base score of 4.3 reflects a low\u2011to\u2011medium severity; the EPSS score is below 1\u202f%, indicating a small likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a logged\u2011in user with author or higher role who can issue a crafted request to the affected endpoints with the attachment ID of another user. Based on the description, it is inferred that remote exploitation is not possible; the attack vector requires authenticated web requests within the WordPress installation."}}}}, "created": "2026-02-16T12:01:52.289064+00:00", "updated": "2026-04-15T20:45:06.380396+00:00", "vendors": ["maxfoundry", "maxfoundry$PRODUCT$media_library_folders", "wordpress", "wordpress$PRODUCT$wordpress"]}