Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable WordPress endpoint, no auth required per description and PR:N; limited integrity and availability impact with no confidentiality exposure confirmed.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.
AnalysisAI
Broken access control in the Envira Photo Gallery WordPress plugin (versions <= 1.12.5) allows unauthenticated remote attackers to bypass authorization checks and perform unauthorized operations affecting site integrity and availability. The flaw stems from missing authorization enforcement (CWE-862) on one or more plugin endpoints, exploitable without any credentials or user interaction across default WordPress deployments. No public exploit code or CISA KEV listing has been identified at time of analysis, though the unauthenticated network vector keeps real-world risk elevated for any site running the affected plugin.
Technical ContextAI
The vulnerability affects the Envira Photo Gallery plugin for WordPress, developed by Awesomemotive (CPE: cpe:2.3:a:awesomemotive:envira_photo_gallery:*:*:*:*:*:*:*:*), a PHP-based gallery management extension commonly installed on WordPress sites to manage and display photo galleries. CWE-862 (Missing Authorization) identifies the root cause: the plugin exposes one or more AJAX handlers, REST API endpoints, or admin-facing actions without implementing WordPress capability checks (e.g., current_user_can()) or nonce verification tied to an authenticated session. This allows any remote party - including completely unauthenticated visitors - to invoke privileged functionality. The CVSS impact metrics (I:L, A:L, C:N) suggest the exposed actions can alter gallery data or disrupt availability but do not directly expose sensitive information.
RemediationAI
Administrators should update the Envira Photo Gallery plugin to a version released after 1.12.5 as soon as a patched release is confirmed available in the WordPress plugin repository; an exact fixed version number was not independently confirmed in available intelligence at time of analysis. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/envira-gallery-lite/vulnerability/wordpress-envira-photo-gallery-plugin-1-12-5-broken-access-control-vulnerability for patch confirmation. As a compensating control where immediate patching is not possible, restrict access to WordPress admin-facing and AJAX endpoints (wp-admin/admin-ajax.php and any REST API routes registered by the plugin) at the web server or WAF layer to authenticated sessions only - note this may break legitimate unauthenticated gallery functionality. Alternatively, temporarily deactivating the plugin eliminates exposure entirely but also removes gallery functionality for site visitors. Web application firewall rules targeting unauthorized parameter manipulation on gallery endpoints may provide partial mitigation with lower operational impact.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37052
GHSA-2x8h-2m6p-f79p