Is WordPress affected by CVE-2026-2312?

Organizations using for WordPress is vulnerable to Insecure Direct Object Reference in all should be aware of moderate risk from CVE-2026-2312, a missing authorization vulnerability rated CVSS 4.3. Attackers could gain access beyond their authorized level.

CVE-2026-2312

MEDIUM

2026-02-14 [email protected]

4.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:03 vuln.today

CVE Published

Feb 14, 2026 - 12:15 nvd

MEDIUM 4.3

Description

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.

Analysis

Authenticated users with Author-level privileges in WordPress Media Library Folders plugin (versions up to 8.3.6) can delete or rename arbitrary attachments belonging to other users through insufficient validation in the delete_maxgalleria_media() and maxgalleria_rename_image() functions. The rename operation also destroys all postmeta associated with target attachments, resulting in permanent data loss. …

Remediation

Within 30 days: Identify affected systems running for WordPress is vulnerable to Insecure Direct Object Refere and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +22

POC: 0

CVE-2026-2312 vulnerability details – vuln.today

Back

CVE-2026-2312

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-2312

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code