Skip to main content

3d-image-gallery CVE-2025-49394

HIGH
Missing Authorization (CWE-862)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Updated
Apr 24, 2026 - 00:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 15:43 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

Missing Authorization vulnerability in bPlugins Image Gallery block - Create and display photo gallery/photo album. 3d-image-gallery allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Image Gallery block - Create and display photo gallery/photo album.: from n/a through <= 1.0.7.

AnalysisAI

Broken access control in WordPress Image Gallery block plugin (bPlugins 3d-image-gallery) versions ≤1.0.7 allows authenticated low-privilege users to bypass authorization checks and access administrative functions, enabling unauthorized modification of gallery settings (low integrity impact) or triggering denial of service conditions (high availability impact). Reported by Patchstack with 0.07% EPSS score, indicating minimal active exploitation probability. No active exploitation confirmed via CISA KEV.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a server-side access control weakness where security checks are entirely absent rather than merely weak. The WordPress plugin fails to implement proper capability checks on administrative functions exposed through its block interface. According to CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H, the flaw is exploitable over the network with low complexity by any authenticated user (PR:L indicates Contributor-level or above in WordPress context). The asymmetric impact (low integrity, high availability, no confidentiality breach) suggests vulnerable endpoints can both modify limited data and trigger resource exhaustion or crashes. WordPress plugins commonly expose AJAX handlers or REST API endpoints without nonce validation or capability checks, allowing authenticated users to invoke functions intended only for Administrators.

Affected ProductsAI

WordPress plugin 'Image Gallery block - Create and display photo gallery/photo album' (bPlugins 3d-image-gallery) versions from earliest available through 1.0.7 inclusive. The vulnerability affects all installations running version 1.0.7 or earlier. Vendor advisory and patch details available at Patchstack database: https://patchstack.com/database/Wordpress/Plugin/3d-image-gallery/vulnerability/wordpress-image-gallery-block-create-and-display-photo-gallery-photo-album-plugin-1-0-7-broken-authentication-vulnerability

RemediationAI

Update 3d-image-gallery plugin to version 1.0.8 or later if available (patch version not independently confirmed from provided data - verify latest release at wordpress.org/plugins/3d-image-gallery or Patchstack advisory). Until patching, implement compensating controls: restrict WordPress user registrations to prevent untrusted account creation, audit existing low-privilege user accounts (Subscriber/Contributor roles) and remove unnecessary access, monitor plugin-related AJAX and REST API requests for anomalous activity from non-admin users. For high-risk environments, temporarily deactivate the plugin if gallery functionality is non-critical. Note that restricting user roles may impact legitimate site functionality like content contribution. Review WordPress admin logs for unauthorized gallery modifications or service disruptions following the initial vulnerability disclosure date.

Share

CVE-2025-49394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy