CVE-2025-62130
Lifecycle Timeline
2Description
Missing Authorization vulnerability in wpdiscover Accordion Slider Gallery accordion-slider-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion Slider Gallery: from n/a through <= 2.7.
Analysis
Missing authorization controls in WordPress Accordion Slider Gallery plugin version 2.7 and earlier allow unauthenticated or low-privileged users to bypass access restrictions and exploit misconfigured security levels. The vulnerability stems from improper access control validation (CWE-862) that fails to enforce authentication checks on sensitive plugin functions, potentially enabling unauthorized users to access restricted functionality or administrative features.
Technical Context
The Accordion Slider Gallery plugin for WordPress contains a broken access control vulnerability classified under CWE-862 (Missing Authorization), which represents a failure to properly enforce that a user cannot perform an action or access a resource that they should not be permitted to. This class of vulnerability typically occurs when WordPress plugins lack proper nonce verification, capability checks (wp_verify_nonce, current_user_can), or role-based access control before executing sensitive operations. The plugin likely exposes AJAX endpoints, REST API routes, or admin functions without adequate authentication or authorization middleware, allowing attackers to manipulate requests and access protected functionality regardless of their user role or authentication status.
Affected Products
WordPress Accordion Slider Gallery plugin version 2.7 and all prior versions are affected. The plugin is distributed through the official WordPress.org plugin repository and identified by CPE component wp:accordion-slider-gallery. Users running any release through version 2.7 should be considered vulnerable, with no version range exclusions noted in available advisory data.
Remediation
Update WordPress Accordion Slider Gallery to a version newer than 2.7 as soon as a patched release is available. Check the official plugin page on WordPress.org and the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/accordion-slider-gallery/) for the specific patched version number. Until a patch is confirmed released, consider disabling the plugin or restricting its usage to trusted administrators only. Verify that no sensitive data has been accessed via the plugin's broken access controls after the vulnerability disclosure date. Implement Web Application Firewall rules to monitor and block suspicious requests to accordion-slider-gallery AJAX endpoints if available.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today