CVE-2026-2312 - Media Library Folders <= 8.3.6 - insecure direct object reference to authenticate...

CVE ID : CVE-2026-2312 Published : Feb. 14, 2026, 11:24 a.m. | 28 minutes ago Description : The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...