WordPress Plugin Vulnerabilities

Image Gallery block – Create and display photo gallery/photo album. < 2.0.0 - Missing Authorization

Description

The Image Gallery Block – Create and Display Photo Galleries plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and activate plugins.

Affects Plugins

Plugin icon
3d-image-gallery
Fixed in 2.0.0

References

CVE
CVE-2025-49394
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5427b971-8799-43a4-a60b-717c96e4ee47

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Denver Jackson
Verified
No
WPVDB ID
8980f1ed-6be9-4600-8d16-4a7a9ddb15b6

Timeline

Publicly Published
2025-08-26 (about 10 months ago)
Added
2025-11-11 (about 7 months ago)
Last Updated
2025-11-11 (about 7 months ago)

Other

Published
Title
Published
2025-09-05
Title
SoftMe <= 1.1.27 - Missing Authorization
Published
2025-06-05
Title
Behance Portfolio Manager <= 1.7.4 - Missing Authorization
Published
2024-06-18
Title
Cost Calculator Builder PRO < 3.1.76 - Unauthenticated Arbitrary Email Sending
Published
2026-01-23
Title
Wizit Gateway for WooCommerce <= 1.2.9 - Missing Authentication to Unauthenticated Arbitrary Order Cancellation
Published
2026-02-14
Title
Payment Plugins for PayPal WooCommerce < 2.0.14 - Missing Authorization