WordPress Plugin Vulnerabilities

Gallery Metabox <= 1.5 - Subscriber+ Unauthorized Data Access

Description

The plugin does not correctly implement capability checks on the refresh_metabox function, leading to unauthorized access of data. As a result, subscribers can obtain a list of images attached to a post.

Affects Plugins

Plugin icon
gallery-metabox
No known fix

References

CVE
CVE-2023-2562
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/951e4651-56d6-474d-84b3-5a7cfc357b9f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
95f3ba42-4b5e-4894-b448-8dbbcc256e79

Timeline

Publicly Published
2023-06-22 (about 2 years ago)
Added
2023-07-12 (about 2 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2024-06-28
Title
Newspack Blocks < 3.0.9 - Missing Authorization
Published
2024-03-12
Title
Bulgarisation for WooCommerce < 3.0.15 - Cross-Site Request Forgery
Published
2025-10-16
Title
One Page Express Companion < 1.6.44 - Missing Authorization
Published
2025-12-11
Title
Laser <= 1.1.1 - Missing Authorization
Published
2024-11-27
Title
Image Alt Text < 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Image Alt Text Update