{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25363", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:48.541Z", "datePublished": "2026-02-19T08:26:59.110Z", "dateUpdated": "2026-04-28T16:14:56.713Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "foogallery", "product": "FooGallery", "vendor": "FooPlugins", "versions": [{"changes": [{"at": "3.1.13", "status": "unaffected"}], "lessThanOrEqual": "3.1.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:07.275Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FooGallery: from n/a through <= 3.1.11.</p>"}], "value": "Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:56.713Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/foogallery/vulnerability/wordpress-foogallery-plugin-3-1-11-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress FooGallery plugin <= 3.1.11 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T18:48:05.071624Z", "id": "CVE-2026-25363", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:06:09.243Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25363", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T18:48:05.071624Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:48:21.013Z"}}], "cna": {"title": "WordPress FooGallery plugin <= 3.1.11 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Steven Julian | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "FooPlugins", "product": "FooGallery", "versions": [{"status": "affected", "changes": [{"at": "3.1.13", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.1.11"}], "packageName": "foogallery", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T09:25:59.567Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/foogallery/vulnerability/wordpress-foogallery-plugin-3-1-11-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FooGallery: from n/a through <= 3.1.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-19T08:26:59.110Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25363", "state": "PUBLISHED", "dateUpdated": "2026-02-26T18:48:25.310Z", "dateReserved": "2026-02-02T12:52:48.541Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:59.110Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en FooPlugins FooGallery foogallery permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a FooGallery: desde n/a hasta &lt;= 3.1.11."}], "id": "CVE-2026-25363", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:19.160", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/foogallery/vulnerability/wordpress-foogallery-plugin-3-1-11-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.1.11]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.1.13,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FooGallery", "source": "cna", "vendor": "FooPlugins"}, "product": "foogallery", "vendor": "fooplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T00:25:34.330786+00:00", "value": {"mitigation_remediation": ["Upgrade the FooGallery plugin to a version newer than 3.1.11 to apply the security fix.", "Verify that the plugin\u2019s access\u2011control settings restrict gallery visibility to authorized roles and that anonymous or low\u2011privilege users cannot access sensitive galleries.", "If an upgrade is not possible, disable or remove the FooGallery plugin to eliminate the vulnerable functionality."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The flaw affects the FooPlugins FooGallery WordPress plugin. Any site running FooGallery version 3.1.11 or earlier is potentially impacted. The description does not enumerate specific minor releases beyond the threshold, so all releases through 3.1.11 are vulnerable.", "description_and_impact": "This vulnerability is a missing authorization flaw that enables users to bypass intended access controls. By exploiting incorrectly configured security levels, an attacker can view, modify, or delete gallery content that should be restricted. The weakness is classified as CWE\u2011862 and results in unauthorized data access, potentially undermining data confidentiality and integrity. The description provides no indication of remote code execution or denial of service.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a medium\u2011low severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to leverage incorrect access control settings within the plugin, implying a web\u2011application level attack that requires access to the WordPress administrative interface or knowledge of user roles."}}}}, "created": "2026-02-20T10:08:47.031794+00:00", "updated": "2026-04-16T00:30:18.863008+00:00", "vendors": ["fooplugins", "fooplugins$PRODUCT$foogallery", "wordpress", "wordpress$PRODUCT$wordpress"]}