ACF Galerie 4 CVE-2025-62104

| EUVD-2025-209561 MEDIUM
Missing Authorization (CWE-862)
2026-04-23 Patchstack GHSA-3p5v-c45v-mqqc
Authentication Bypass
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 12:00 vuln.today

DescriptionNVD

Missing Authorization vulnerability in Navneil Naicker ACF Galerie 4 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ACF Galerie 4: from n/a through 1.4.2.

AnalysisAI

Broken access control in Navneil Naicker ACF Galerie 4 plugin versions up to 1.4.2 allows authenticated users to modify content they should not have permission to access. The vulnerability stems from missing authorization checks in functionality protected only by authentication level, enabling privilege escalation or unauthorized data modification by low-privileged WordPress users.

Technical ContextAI

ACF Galerie 4 is a WordPress plugin for gallery management that integrates with Advanced Custom Fields (ACF). The vulnerability is rooted in CWE-862 (Missing Authorization), indicating the plugin performs authentication verification (confirming user identity) but fails to implement proper authorization checks (verifying user permissions for specific actions). The affected CPE cpe:2.3:a:navneil_naicker:acf_galerie_4 indicates the plugin itself is the vulnerable component. The vulnerability affects the access control security model, likely in admin or AJAX endpoints where the plugin fails to validate user roles or capabilities before allowing modification of gallery data or settings.

RemediationAI

Upgrade ACF Galerie 4 to a version newer than 1.4.2 immediately. Check the official WordPress plugin repository or Navneil Naicker's update channel for the latest patched release and apply it through the WordPress admin dashboard. If upgrading is not immediately possible, restrict plugin access by disabling the ACF Galerie 4 plugin entirely until a patch is available, or limit user roles by removing Contributor and lower-privilege user access to gallery-related functionality through WordPress role management (Settings > Users) as a temporary compensating control, though this may restrict legitimate editorial workflows. Review user permissions in WordPress to identify and audit any unauthorized changes made to gallery content by low-privilege users during the period the vulnerability was active. The Patchstack database (https://patchstack.com/database/wordpress/plugin/acf-galerie-4/vulnerability/wordpress-acf-galerie-4-plugin-1-4-2-broken-access-control-vulnerability) should be monitored for patch availability confirmation.

Share

CVE-2025-62104 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy