– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-2312:
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Media Library Folders WordPress plugin, affecting versions up to and including 8.3.6. It allows authenticated attackers with Author-level permissions or higher to delete or rename attachments belonging to other users, including administrators. The CVSS score is 4.3 (Medium).

Root Cause:
The vulnerability exists in the `delete_maxgalleria_media()` and `maxgalleria_rename_image()` functions within the `media-library-plus.php` file. Both functions accept user-controlled parameters (`serial_delete_ids` and `image_id` respectively) without performing object-level authorization checks. The functions verify the user has the `upload_files` capability and validate a nonce, but they fail to verify the requesting user owns the target attachment or has permission to modify it. This missing validation creates an IDOR condition.

Exploitation:
An attacker with Author privileges sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to either `delete_maxgalleria_media` or `maxgalleria_rename_image`. For deletion, the attacker supplies a comma-separated list of target attachment IDs via the `serial_delete_ids` parameter. For renaming, the attacker supplies the target attachment ID via `image_id` and the new name via `new_file_name`. The request must include a valid nonce, which Author users can obtain from the plugin’s interface. The server processes the request without checking attachment ownership.

Patch Analysis:
The patch in version 8.3.7 adds comprehensive object-level authorization to both vulnerable functions. In `delete_maxgalleria_media()`, the patch introduces a loop that calls `current_user_can(‘delete_post’, $delete_id)` for each target ID. For attachments, it also checks if the current user is the post author, unless the user has admin-like capabilities (`manage_options`). The `maxgalleria_rename_image()` function now calls `current_user_can(‘edit_post’, $file_id)` and performs the same owner check. The patch also removes the `wp_ajax_nopriv_` hooks, preventing unauthenticated access. Additionally, the rename function no longer deletes all postmeta for the target attachment, preserving custom field data.

Impact:
Successful exploitation allows an authenticated attacker to delete arbitrary media attachments from the WordPress site, causing permanent data loss. The rename function also deletes all generated thumbnail files for the target attachment and, in the vulnerable version, deletes all associated postmeta, which can include critical metadata from plugins like ACF or SEO tools. This attack can disrupt site functionality, remove administrative media, and cause collateral damage to posts or pages that reference the affected attachments.