CVE-2026-2312 is a vulnerability classified under CWE-862 (Missing Authorization) found in the maxfoundry Media Library Folders plugin for WordPress, affecting all versions up to and including 8.3.6. The flaw exists in two key functions: delete_maxgalleria_media() and maxgalleria_rename_image(), which handle deletion and renaming of media attachments respectively. These functions fail to properly validate user permissions on a user-controlled key parameter, leading to an Insecure Direct Object Reference (IDOR) vulnerability. As a result, any authenticated user with Author-level privileges or higher can manipulate media files owned by other users, including administrators. Specifically, attackers can delete or rename attachments they do not own. The renaming process also triggers deletion of all postmeta associated with the targeted attachment, causing unintended data loss beyond the media file itself. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to the limited impact on confidentiality and availability but notable impact on integrity and data loss. No public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, especially multi-user environments where different privilege levels exist. The lack of patch links suggests a fix may not yet be publicly available, emphasizing the need for immediate mitigation.

The primary impact of CVE-2026-2312 is unauthorized modification and deletion of media attachments and associated metadata by users with Author-level access or higher. This can lead to significant data integrity issues, including loss of important media files and their metadata, which may affect website content, user experience, and operational workflows. Since attachments owned by administrators can be targeted, the risk extends to critical site assets. Although confidentiality and availability are not directly impacted, the loss or alteration of media content can disrupt business operations, damage brand reputation, and require costly recovery efforts. Organizations with multi-author WordPress sites, such as media companies, educational institutions, and enterprises relying on collaborative content management, are particularly vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits given the public disclosure. The vulnerability also increases the attack surface for insider threats or compromised Author accounts, potentially facilitating further privilege escalation or lateral movement within the site environment.

To mitigate CVE-2026-2312, organizations should first verify if they are using the maxfoundry Media Library Folders plugin and identify the version in use. Since no official patches are currently linked, immediate mitigation steps include restricting Author-level access to trusted users only and auditing user roles to minimize unnecessary privileges. Implementing strict access controls and monitoring for unusual media deletion or renaming activities can help detect exploitation attempts. Administrators should consider temporarily disabling or removing the plugin until a security update is released. Additionally, backing up media files and associated postmeta regularly is critical to enable recovery from data loss. Site owners can also apply custom code or use security plugins to enforce authorization checks on media management functions as a temporary workaround. Keeping WordPress core and all plugins updated and subscribing to security advisories from maxfoundry and WordPress security communities will ensure timely application of official fixes once available.