Skip to main content

Simply Gallery CVE-2026-25345

| EUVDEUVD-2026-15659 CRITICAL
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-03-25 Patchstack GHSA-5mpf-9qfh-9g4r
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15659
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
CRITICAL 9.9

DescriptionCVE.org

Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.

AnalysisAI

A improper input validation vulnerability in GalleryCreator SimpLy Gallery plugin (versions up to 3.3.2) allows attackers to access functionality that should be restricted by access control lists (ACLs), potentially leading to information disclosure and arbitrary code execution. The vulnerability affects WordPress installations using the simply-gallery-block plugin and stems from insufficient validation of quantity inputs combined with inadequate authorization checks. While CVSS scoring is unavailable, the reported nature of the vulnerability suggests elevated risk due to the potential for unauthorized functionality access and code execution capabilities.

Technical ContextAI

The vulnerability exists in the GalleryCreator SimpLy Gallery WordPress plugin (CPE: cpe:2.3:a:gallerycreator:simply_gallery:*:*:*:*:*:*:*:*), specifically classified under CWE-1284 (Improper Validation of Specified Quantity in Input). This weakness describes a flaw where an application fails to properly validate numeric input quantities, which in this case combines with inadequate access control mechanisms to permit unauthorized access to restricted functionality. WordPress plugins operate within the WordPress permission framework, and improper validation of input quantities can bypass role-based access controls (ACLs) by allowing attackers to manipulate parameters that control access decisions or trigger unintended code execution paths. The root cause is the intersection of two security failures: insufficient input validation and missing authorization enforcement on sensitive operations.

RemediationAI

Update GalleryCreator SimpLy Gallery plugin to a version newer than 3.3.2 immediately when available. Monitor the Patchstack vulnerability database (https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-3-2-arbitrary-code-execution-vulnerability) and the plugin's official WordPress.org plugin page for patched versions. As an interim mitigation before patching is available, restrict plugin functionality through WordPress user role management by ensuring only trusted administrators can access gallery creation features, and implement Web Application Firewall (WAF) rules to block requests containing suspicious quantity parameter values or ACL-bypass indicators. For environments unable to patch immediately, consider disabling the simply-gallery-block plugin until a patched version is released. Verify no unauthorized gallery access or suspicious code execution has occurred by auditing plugin activity logs and WordPress admin action history.

Share

CVE-2026-25345 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy