Skip to main content

Envira Photo Gallery CVE-2026-54190

| EUVDEUVD-2026-37052 MEDIUM
Missing Authorization (CWE-862)
2026-06-16 Patchstack GHSA-2x8h-2m6p-f79p
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable WordPress endpoint, no auth required per description and PR:N; limited integrity and availability impact with no confidentiality exposure confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 10:30 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.

AnalysisAI

Broken access control in the Envira Photo Gallery WordPress plugin (versions <= 1.12.5) allows unauthenticated remote attackers to bypass authorization checks and perform unauthorized operations affecting site integrity and availability. The flaw stems from missing authorization enforcement (CWE-862) on one or more plugin endpoints, exploitable without any credentials or user interaction across default WordPress deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector keeps real-world risk elevated for any site running the affected plugin.

Technical ContextAI

The vulnerability affects the Envira Photo Gallery plugin for WordPress, developed by Awesomemotive (CPE: cpe:2.3:a:awesomemotive:envira_photo_gallery:*:*:*:*:*:*:*:*), a PHP-based gallery management extension commonly installed on WordPress sites to manage and display photo galleries. CWE-862 (Missing Authorization) identifies the root cause: the plugin exposes one or more AJAX handlers, REST API endpoints, or admin-facing actions without implementing WordPress capability checks (e.g., current_user_can()) or nonce verification tied to an authenticated session. This allows any remote party - including completely unauthenticated visitors - to invoke privileged functionality. The CVSS impact metrics (I:L, A:L, C:N) suggest the exposed actions can alter gallery data or disrupt availability but do not directly expose sensitive information.

RemediationAI

Administrators should update the Envira Photo Gallery plugin to a version released after 1.12.5 as soon as a patched release is confirmed available in the WordPress plugin repository; an exact fixed version number was not independently confirmed in available intelligence at time of analysis. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/envira-gallery-lite/vulnerability/wordpress-envira-photo-gallery-plugin-1-12-5-broken-access-control-vulnerability for patch confirmation. As a compensating control where immediate patching is not possible, restrict access to WordPress admin-facing and AJAX endpoints (wp-admin/admin-ajax.php and any REST API routes registered by the plugin) at the web server or WAF layer to authenticated sessions only - note this may break legitimate unauthenticated gallery functionality. Alternatively, temporarily deactivating the plugin eliminates exposure entirely but also removes gallery functionality for site visitors. Web application firewall rules targeting unauthorized parameter manipulation on gallery endpoints may provide partial mitigation with lower operational impact.

Share

CVE-2026-54190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy