Description
The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Published: 2025-12-02
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery allowing unauthenticated attackers to perform bulk operations on galleries (delete, publish, unpublish) if an administrator is tricked into clicking a forged link.
Action: Apply patch
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery resulting from a missing nonce check in the bulk action handler of the Photo Gallery by Ays plugin, allowing an unauthenticated attacker to manipulate an administrator into performing undesired bulk operations on galleries.

Affected Systems

WordPress sites that use the Photo Gallery by Ays – Responsive Image Gallery plugin version 6.4.8 or earlier are affected. All plugins versions up to and including 6.4.8 are susceptible; later releases (6.4.9+) contain a fix.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, but the EPSS score of less than 1% and the absence from the CISA KEV list suggest a low probability of exploitation. The attack requires an administrator to click a crafted link, so it is not a remote code execution but a privilege‑escalation style action that can delete or modify large numbers of galleries if successful.

Generated by OpenCVE AI on April 21, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Photo Gallery by Ays plugin to version 6.4.9 or later to restore nonce verification on bulk actions.
  • If an upgrade is not yet available, disable the bulk action capability for non‑trusted roles or remove the bulk action links from the admin interface.
  • Deploy or configure a Web Application Firewall to detect and block CSRF requests lacking proper nonces, and monitor administrator activity logs for suspicious bulk operations.

Generated by OpenCVE AI on April 21, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Ays-pro
Ays-pro photo Gallery
Wordpress
Wordpress wordpress
Vendors & Products Ays-pro
Ays-pro photo Gallery
Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Title Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Ays-pro Photo Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:57.104Z

Reserved: 2025-11-25T19:52:12.798Z

Link: CVE-2025-13685

cve-icon Vulnrichment

Updated: 2025-12-02T14:15:24.485Z

cve-icon NVD

Status : Deferred

Published: 2025-12-02T07:15:48.810

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses