Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
AnalysisAI
A improper input validation vulnerability in GalleryCreator SimpLy Gallery plugin (versions up to 3.3.2) allows attackers to access functionality that should be restricted by access control lists (ACLs), potentially leading to information disclosure and arbitrary code execution. The vulnerability affects WordPress installations using the simply-gallery-block plugin and stems from insufficient validation of quantity inputs combined with inadequate authorization checks. While CVSS scoring is unavailable, the reported nature of the vulnerability suggests elevated risk due to the potential for unauthorized functionality access and code execution capabilities.
Technical ContextAI
The vulnerability exists in the GalleryCreator SimpLy Gallery WordPress plugin (CPE: cpe:2.3:a:gallerycreator:simply_gallery:*:*:*:*:*:*:*:*), specifically classified under CWE-1284 (Improper Validation of Specified Quantity in Input). This weakness describes a flaw where an application fails to properly validate numeric input quantities, which in this case combines with inadequate access control mechanisms to permit unauthorized access to restricted functionality. WordPress plugins operate within the WordPress permission framework, and improper validation of input quantities can bypass role-based access controls (ACLs) by allowing attackers to manipulate parameters that control access decisions or trigger unintended code execution paths. The root cause is the intersection of two security failures: insufficient input validation and missing authorization enforcement on sensitive operations.
RemediationAI
Update GalleryCreator SimpLy Gallery plugin to a version newer than 3.3.2 immediately when available. Monitor the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-3-2-arbitrary-code-execution-vulnerability) and the plugin's official WordPress.org plugin page for patched versions. As an interim mitigation before patching is available, restrict plugin functionality through WordPress user role management by ensuring only trusted administrators can access gallery creation features, and implement Web Application Firewall (WAF) rules to block requests containing suspicious quantity parameter values or ACL-bypass indicators. For environments unable to patch immediately, consider disabling the simply-gallery-block plugin until a patched version is released. Verify no unauthorized gallery access or suspicious code execution has occurred by auditing plugin activity logs and WordPress admin action history.
More in Simply Gallery
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15659
GHSA-5mpf-9qfh-9g4r