CVE-2025-62098
Lifecycle Timeline
2Description
Missing Authorization vulnerability in totalsoft Portfolio Gallery gallery-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through <= 1.4.8.
Analysis
Missing authorization controls in totalsoft Portfolio Gallery WordPress plugin versions through 1.4.8 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive gallery content and administrative functionality to unauthorized access. The vulnerability stems from broken access control mechanisms rather than authentication bypass, meaning authenticated users may also access resources beyond their privilege level. With an EPSS score of 0.05% (17th percentile) and no CVSS severity data, real-world exploitation appears limited despite the theoretical exposure.
Technical Context
The vulnerability is classified under CWE-862 (Missing Authorization), which indicates the application fails to properly enforce access control checks before allowing users to perform sensitive operations or access restricted resources. In the context of a WordPress gallery plugin, this typically manifests in insufficient capability checks on gallery management endpoints, REST API calls, or file access operations. The Portfolio Gallery plugin likely implements gallery visibility or access tiers (public, private, members-only) that are not properly validated server-side, allowing the plugin to trust client-side controls or session data without verifying the user's actual role (subscriber, contributor, editor, administrator) against the requested resource's access policy.
Affected Products
totalsoft Portfolio Gallery WordPress plugin versions 1.4.8 and earlier are affected. The plugin is distributed via the WordPress.org plugin repository. Affected installations include any WordPress site running the gallery-portfolio plugin with version numbering from initial release through 1.4.8 (exact initial version not specified in available data).
Remediation
Update totalsoft Portfolio Gallery to version 1.4.9 or later, which addresses the missing authorization controls. Site administrators should access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Gallery Portfolio, and click Update if available, or deactivate and remove the plugin if no patched version is applicable to their deployment. For organizations unable to immediately patch, implement web application firewall (WAF) rules to restrict access to gallery management endpoints to authenticated administrative users only, and audit existing gallery visibility settings to ensure sensitive galleries are not unintentionally exposed. Refer to the Patchstack database advisory at https://patchstack.com/database/Wordpress/Plugin/gallery-portfolio/vulnerability/wordpress-portfolio-gallery-plugin-1-4-8-broken-access-control-vulnerability for confirmation of patch availability and detailed mitigation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today