{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14003", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T07:14:09.911Z", "datePublished": "2025-12-15T14:25:10.183Z", "dateUpdated": "2026-04-08T16:49:24.333Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:24.333Z"}, "affected": [{"vendor": "wpchill", "product": "Modula Image Gallery \u2013 Photo Grid & Video Gallery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.13.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users."}], "title": "Image Gallery \u2013 Photo Grid & Video Gallery <= 2.13.3 - Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4490afba-1487-40a4-99c6-c753acb10df3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414176/modula-best-grid-gallery"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}, {"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}, {"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "timeline": [{"time": "2025-11-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-04T07:33:49.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-15T02:22:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T15:42:31.765701Z", "id": "CVE-2025-14003", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:45:32.953Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14003", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T15:42:31.765701Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T15:42:32.847Z"}}], "cna": {"title": "Image Gallery \u2013 Photo Grid & Video Gallery <= 2.13.3 - Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}, {"lang": "en", "type": "finder", "value": "Powpy"}, {"lang": "en", "type": "finder", "value": "Waris Damkham"}, {"lang": "en", "type": "finder", "value": "Varakorn Chanthasri"}, {"lang": "en", "type": "finder", "value": "Peerapat Samatathanyakorn"}, {"lang": "en", "type": "finder", "value": "Sopon Tangpathum (SoNaJaa)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpchill", "product": "Modula Image Gallery \u2013 Photo Grid & Video Gallery", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.13.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-04T07:33:49.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-15T02:22:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4490afba-1487-40a4-99c6-c753acb10df3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3414176/modula-best-grid-gallery"}], "descriptions": [{"lang": "en", "value": "The Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:24.333Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14003", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:49:24.333Z", "dateReserved": "2025-12-04T07:14:09.911Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-15T14:25:10.183Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Image Gallery \u2013 Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users."}], "id": "CVE-2025-14003", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-15T15:15:48.963", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3414176/modula-best-grid-gallery"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4490afba-1487-40a4-99c6-c753acb10df3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T17:07:07.715225+00:00", "value": {"mitigation_remediation": ["Upgrade the Modula Image Gallery plugin to the latest version (\u2265\u202f2.13.4) where the capability check is implemented.", "If an upgrade is not immediately possible, temporarily disable the gallery feature that invokes add_images_to_gallery_callback or replace the plugin with a trusted alternative until a patch is available.", "Re\u2011evaluate the permissions granted to Author\u2011level users and remove or restrict any capability that allows media uploads or gallery edits to limit the impact of the vulnerability."], "summary": {"action": "Patch", "impact": "Unauthorized Gallery Modification"}, "threat_synthesis": {"affected_systems": "All installations of the Modula Image Gallery \u2013 Photo Grid & Video Gallery plugin with version numbers up to and including 2.13.3 are affected. Users must verify their plugin version and upgrade if it falls within this range.", "description_and_impact": "A missing capability check in the add_images_to_gallery_callback function allows an authenticated WordPress user with Author level or higher to add images to any Modula gallery, regardless of ownership. The vulnerability lets the attacker insert or modify gallery content without permission, potentially damaging site aesthetics or distributing malicious media.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. It can be exploited only by authenticated users with at least Author role, making it a local accounts\u2011based privilege issue rather than a remote code execution vector."}}}}, "created": "2025-12-15T21:33:40.479295+00:00", "updated": "2026-04-21T17:15:25.332937+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpchill", "wpchill$PRODUCT$image_gallery"]}