{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14170", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-05T22:04:38.552Z", "datePublished": "2025-12-12T03:20:38.364Z", "dateUpdated": "2026-04-08T16:34:55.256Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:55.256Z"}, "affected": [{"vendor": "stiand", "product": "Vimeo SimpleGallery", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter."}], "title": "Vimeo SimpleGallery <= 0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb28557-7023-481f-a05b-0b9a22d7a456?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/trunk/vimeo_simplegallery.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/tags/0.2/vimeo_simplegallery.php#L22"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2025-12-11T14:25:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T18:08:52.313202Z", "id": "CVE-2025-14170", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:17:26.204Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14170", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T18:08:52.313202Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:08:54.439Z"}}], "cna": {"title": "Vimeo SimpleGallery <= 0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stiand", "product": "Vimeo SimpleGallery", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:25:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb28557-7023-481f-a05b-0b9a22d7a456?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/trunk/vimeo_simplegallery.php#L22"}, {"url": "https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/tags/0.2/vimeo_simplegallery.php#L22"}], "descriptions": [{"lang": "en", "value": "The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:55.256Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14170", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:55.256Z", "dateReserved": "2025-12-05T22:04:38.552Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:38.364Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter."}], "id": "CVE-2025-14170", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-12T04:15:49.433", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/tags/0.2/vimeo_simplegallery.php#L22"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/vimeo-simplegallery/trunk/vimeo_simplegallery.php#L22"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb28557-7023-481f-a05b-0b9a22d7a456?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:19:45.577479+00:00", "value": {"mitigation_remediation": ["Upgrade Vimeo SimpleGallery to the latest version (any release newer than 0.2).", "If an upgrade is not possible, disable the Vimeo SimpleGallery plugin entirely or revoke the admin_menu hooks by editing the plugin files or using a custom plugin to enforce proper capability checks.", "After applying a fix, audit the site for any unauthorized configuration changes and review core user roles to ensure only trusted administrators have Subscriber or higher access."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "WordPress sites that install the Vimeo SimpleGallery plugin, version 0.2 or earlier. The plugin is distributed by the vendor stiand and is publicly available in the WordPress plugin repository. Any site using a vulnerable version of this plugin is affected.", "description_and_impact": "The Vimeo SimpleGallery WordPress plugin contains a missing authorization check on the vimeogallery_admin function that is hooked to WordPress admin menu registration. Because the function does not verify user capabilities, any authenticated user with Subscriber level or higher permissions can submit the action parameter to the plugin\u2019s admin panel and remotely alter arbitrary plugin configuration values. This capability exposes the site to unauthorized configuration changes that could affect content display, video playback, or other site behavior. The flaw does not directly grant code execution, but it can be leveraged to subvert site functionality or pave the way for other attacks. The weakness is identified as CWE\u2011862 Missing Authorization.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Subscriber privileges, which limits the threat to users who have legitimate access to the site\u2019s admin area. The attack path consists of logging in to WordPress, navigating to the plugin\u2019s admin page, and sending a crafted action parameter. Because it is not a remotely exploitable flaw over the network, it is typically considered a local privilege escalation threat for attackers already capable of accessing the site\u2019s management interface."}}}}, "created": "2025-12-12T08:48:19.448958+00:00", "updated": "2026-04-22T16:30:22.137459+00:00", "vendors": ["stiand", "stiand$PRODUCT$vimeo_simplegallery", "wordpress", "wordpress$PRODUCT$wordpress"]}