WordPress Plugin Vulnerabilities

ACF Photo Gallery Field < 2.7 - Missing Authorization

Description

The plugin is vulnerable to unauthorized access of data, modification of data, or loss of data due to a missing capability check on an unknown function, allowing authenticated attackers, with subscriber access and above, to access the unprotected function.

Affects Plugins

Plugin icon
navz-photo-gallery
Fixed in 2.7

References

CVE
CVE-2024-23518
URL
https://patchstack.com/database/vulnerability/navz-photo-gallery/wordpress-acf-photo-gallery-field-plugin-2-5-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
d5cfb1c3-25fc-40cd-b31e-e06fdc0af8d4

Timeline

Publicly Published
2024-01-30 (about 2 years ago)
Added
2024-02-09 (about 2 years ago)
Last Updated
2024-02-12 (about 2 years ago)

Other

Published
Title
Published
2025-05-16
Title
CURCY <= 2.3.7 - Missing Authorization to Arbitrary Shortcode Execution
Published
2025-08-26
Title
Zephyr Project Manager < 3.3.202 - Missing Authorization
Published
2025-12-14
Title
CMSMasters Content Composer < 2.5.9 - Missing Authorization
Published
2026-03-17
Title
Yoast Duplicate Post < 4.6 - Contributor+ Arbitrary Post Duplication and Overwrite
Published
2025-03-27
Title
Chatbox Manager < 1.2.3 - Missing Authorization