3d-image-gallery CVE-2025-49394
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
5DescriptionCVE.org
Missing Authorization vulnerability in bPlugins Image Gallery block - Create and display photo gallery/photo album. 3d-image-gallery allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Image Gallery block - Create and display photo gallery/photo album.: from n/a through <= 1.0.7.
AnalysisAI
Broken access control in WordPress Image Gallery block plugin (bPlugins 3d-image-gallery) versions ≤1.0.7 allows authenticated low-privilege users to bypass authorization checks and access administrative functions, enabling unauthorized modification of gallery settings (low integrity impact) or triggering denial of service conditions (high availability impact). Reported by Patchstack with 0.07% EPSS score, indicating minimal active exploitation probability. No active exploitation confirmed via CISA KEV.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a server-side access control weakness where security checks are entirely absent rather than merely weak. The WordPress plugin fails to implement proper capability checks on administrative functions exposed through its block interface. According to CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H, the flaw is exploitable over the network with low complexity by any authenticated user (PR:L indicates Contributor-level or above in WordPress context). The asymmetric impact (low integrity, high availability, no confidentiality breach) suggests vulnerable endpoints can both modify limited data and trigger resource exhaustion or crashes. WordPress plugins commonly expose AJAX handlers or REST API endpoints without nonce validation or capability checks, allowing authenticated users to invoke functions intended only for Administrators.
Affected ProductsAI
WordPress plugin 'Image Gallery block - Create and display photo gallery/photo album' (bPlugins 3d-image-gallery) versions from earliest available through 1.0.7 inclusive. The vulnerability affects all installations running version 1.0.7 or earlier. Vendor advisory and patch details available at Patchstack database: https://patchstack.com/database/Wordpress/Plugin/3d-image-gallery/vulnerability/wordpress-image-gallery-block-create-and-display-photo-gallery-photo-album-plugin-1-0-7-broken-authentication-vulnerability
RemediationAI
Update 3d-image-gallery plugin to version 1.0.8 or later if available (patch version not independently confirmed from provided data - verify latest release at wordpress.org/plugins/3d-image-gallery or Patchstack advisory). Until patching, implement compensating controls: restrict WordPress user registrations to prevent untrusted account creation, audit existing low-privilege user accounts (Subscriber/Contributor roles) and remove unnecessary access, monitor plugin-related AJAX and REST API requests for anomalous activity from non-admin users. For high-risk environments, temporarily deactivate the plugin if gallery functionality is non-critical. Note that restricting user roles may impact legitimate site functionality like content contribution. Review WordPress admin logs for unauthorized gallery modifications or service disruptions following the initial vulnerability disclosure date.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today