Skip to main content

HM Books Gallery WordPress Plugin CVE-2026-5347

| EUVDEUVD-2026-25398 MEDIUM
Missing Authorization (CWE-862)
2026-04-24 Wordfence GHSA-7cw2-vvg5-h9pj
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 24, 2026 - 06:30 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 06:00 euvd
EUVD-2026-25398
Analysis Generated
Apr 24, 2026 - 06:00 vuln.today
CVE Published
Apr 24, 2026 - 05:29 nvd
MEDIUM 5.3

DescriptionCVE.org

The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.

AnalysisAI

Unauthenticated attackers can modify the custom post type slug for the HM Books Gallery plugin in WordPress versions up to 4.8.0 by submitting a crafted POST request to the admin_init hook, bypassing all capability and nonce checks. This vulnerability allows modification of the 'wbg_cpt_slug' option without authentication, changing the URL structure for all book entries, breaking existing links, and degrading SEO rankings. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The HM Books Gallery WordPress plugin uses the admin_init hook to process permalink settings updates. The vulnerable code at lines 205-209 of wp-books-gallery.php checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' WordPress option. WordPress admin_init executes for both authenticated and unauthenticated requests when no explicit capability checks are performed. The vulnerability stems from the absence of two critical WordPress security patterns: the current_user_can() function to verify administrator privileges and wp_verify_nonce() to validate request legitimacy. CWE-862 (Missing Authorization) is the root cause - the application fails to check if the user performing the action has the required permission level. This is a PHP-based WordPress plugin vulnerability affecting the admin settings processing layer.

RemediationAI

Immediately upgrade HM Books Gallery to version 4.8.1 or later, which addresses the missing authorization checks. The plugin maintainer has confirmed the fix in the referenced source code repository. If immediate upgrade is not possible, disable the HM Books Gallery plugin entirely until patching can be completed, as the vulnerability allows unauthenticated modification of critical site settings with no compensating control available. Website administrators should verify that the 'wbg_cpt_slug' option has not been modified to an unintended value post-upgrade by checking the plugin settings page and comparing book gallery URLs against known indexed URLs. For sites with significant book content already indexed, implement 301 redirects from old book URLs to new ones to preserve SEO value and user experience.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-5347 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy