The Vimeo SimpleGallery WordPress plugin contains a missing authorization check on the vimeogallery_admin function that is hooked to WordPress admin menu registration. Because the function does not verify user capabilities, any authenticated user with Subscriber level or higher permissions can submit the action parameter to the plugin’s admin panel and remotely alter arbitrary plugin configuration values. This capability exposes the site to unauthorized configuration changes that could affect content display, video playback, or other site behavior. The flaw does not directly grant code execution, but it can be leveraged to subvert site functionality or pave the way for other attacks. The weakness is identified as CWE‑862 Missing Authorization.

WordPress sites that install the Vimeo SimpleGallery plugin, version 0.2 or earlier. The plugin is distributed by the vendor stiand and is publicly available in the WordPress plugin repository. Any site using a vulnerable version of this plugin is affected.

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% suggests low exploitation probability at the current time. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Subscriber privileges, which limits the threat to users who have legitimate access to the site’s admin area. The attack path consists of logging in to WordPress, navigating to the plugin’s admin page, and sending a crafted action parameter. Because it is not a remotely exploitable flaw over the network, it is typically considered a local privilege escalation threat for attackers already capable of accessing the site’s management interface.