Vulnerabilities and security researches formedia-library-plus media-library-plus

Jun 07, 2024

CVE, Research URL: CVE-2022-41634
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Nov 19, 2022
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Media Library Folders plugin <= 7.1.1 on WordPress.
Affected versions: max 7.1.2.
Status: vulnerable

CVE, Research URL: CVE-2024-30486
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Mar 29, 2024
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Max Foundry Media Library Folders.This issue affects Media Library Folders: from n/a through 8.1.7.
Affected versions: max 8.1.8.
Status: vulnerable

CVE, Research URL: CVE-2024-31287
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Apr 10, 2024
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Max Foundry Media Library Folders.This issue affects Media Library Folders: from n/a through 8.1.8.
Affected versions: max 8.1.9.
Status: vulnerable

CVE, Research URL: CVE-2024-3615
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Apr 19, 2024
Research Description: The Media Library Folders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 8.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 8.2.1.
Status: vulnerable

Aug 29, 2024

CVE, Research URL: CVE-2024-7857
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Aug 29, 2024
Research Description: The Media Library Folders plugin for WordPress is vulnerable to second order SQL Injection via the 'sort_type' parameter of the 'mlf_change_sort_type' AJAX action in all versions up to, and including, 8.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 8.2.3.
Status: vulnerable

Aug 30, 2024

CVE, Research URL: CVE-2024-7858
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Aug 30, 2024
Research Description: The Media Library Folders plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX functions in the media-library-plus.php file in all versions up to, and including, 8.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions related to managing media files and folder along with controlling settings.
Affected versions: max 8.2.4.
Status: vulnerable

Feb 15, 2025

CVE, Research URL: CVE-2025-0935
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Feb 15, 2025
Research Description: The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.
Affected versions: max 8.3.1.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-2312
Home page URL: Security reports for Media Library Folders
Application: Media Library Folders
Date: Feb 14, 2026
Research Description: The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
Affected versions: max 8.3.7.
Status: vulnerable