Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in vowelweb VW Photography vw-photography allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Photography: from n/a through <= 1.3.8.
AnalysisAI
Improper access control in VW Photography through version 1.3.8 permits unauthenticated attackers to modify application data due to missing authorization checks on sensitive functions. An attacker can exploit this vulnerability over the network without user interaction to alter content or settings, though confidentiality and availability are not impacted. No patch is currently available for this vulnerability.
Technical ContextAI
The VW Photography plugin for WordPress (identified via CPE string cpe:2.3:a:vowelweb:vw_photography) implements photography management and gallery features but fails to implement proper authorization checks on sensitive operations. The vulnerability falls under CWE-862 (Missing Authorization), which indicates that security-critical functions lack proper verification that the requesting user has explicit permission to perform the action. The plugin likely fails to validate user roles and capabilities before processing POST/PUT requests or API calls that modify photography data, allowing the 'I' (Integrity) component of CIA to be compromised. This is distinct from authentication failures; the user may be authenticated or the check may be entirely absent, but the authorization layer that determines what an authenticated user can do is misconfigured or missing entirely.
RemediationAI
Immediately update the VW Photography plugin to the latest available version (1.3.9 or later if released) through the WordPress admin dashboard or directly from the official plugin repository. If an immediate patch is unavailable, restrict plugin access by enforcing role-based capabilities at the WordPress level using security plugins (such as Wordfence) to limit who can access photography management features, disable the plugin's public-facing API endpoints if not required, and implement Web Application Firewall (WAF) rules to block unauthorized modification requests to photography endpoints. Additionally, review all recent changes to photography galleries and content to detect any unauthorized modifications made during the vulnerability window.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11976