WordPress Plugin Vulnerabilities

Photospace Gallery <= 2.3.5 - Subscriber+ Arbitrary Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
photospace
No known fix

References

CVE
CVE-2022-38135

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Tien Nguyen Anh
Verified
No
WPVDB ID
8a034004-f421-49b5-b5cc-f45bdfb1eb82

Timeline

Publicly Published
2022-09-12 (about 3 years ago)
Added
2022-09-14 (about 3 years ago)
Last Updated
2022-09-14 (about 3 years ago)

Other

Published
Title
Published
2024-07-11
Title
Titan Anti-spam & Security < 7.3.8 - Missing Authorization
Published
2025-12-15
Title
Webba Booking < 6.2.2 - Missing Authorization
Published
2024-03-28
Title
Finale Lite < 2.18.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation
Published
2026-01-27
Title
aDirectory < 3.0.4 - Missing Authorization
Published
2025-12-31
Title
EasyTest <= 1.0.1 - Missing Authorization