Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.
AnalysisAI
Unauthenticated attackers can modify the custom post type slug for the HM Books Gallery plugin in WordPress versions up to 4.8.0 by submitting a crafted POST request to the admin_init hook, bypassing all capability and nonce checks. This vulnerability allows modification of the 'wbg_cpt_slug' option without authentication, changing the URL structure for all book entries, breaking existing links, and degrading SEO rankings. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
The HM Books Gallery WordPress plugin uses the admin_init hook to process permalink settings updates. The vulnerable code at lines 205-209 of wp-books-gallery.php checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' WordPress option. WordPress admin_init executes for both authenticated and unauthenticated requests when no explicit capability checks are performed. The vulnerability stems from the absence of two critical WordPress security patterns: the current_user_can() function to verify administrator privileges and wp_verify_nonce() to validate request legitimacy. CWE-862 (Missing Authorization) is the root cause - the application fails to check if the user performing the action has the required permission level. This is a PHP-based WordPress plugin vulnerability affecting the admin settings processing layer.
RemediationAI
Immediately upgrade HM Books Gallery to version 4.8.1 or later, which addresses the missing authorization checks. The plugin maintainer has confirmed the fix in the referenced source code repository. If immediate upgrade is not possible, disable the HM Books Gallery plugin entirely until patching can be completed, as the vulnerability allows unauthenticated modification of critical site settings with no compensating control available. Website administrators should verify that the 'wbg_cpt_slug' option has not been modified to an unintended value post-upgrade by checking the plugin settings page and comparing book gallery URLs against known indexed URLs. For sites with significant book content already indexed, implement 301 redirects from old book URLs to new ones to preserve SEO value and user experience.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25398
GHSA-7cw2-vvg5-h9pj