Description
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.
Published: 2025-12-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of plugin settings by authenticated users with Contributor access
Action: Patch
AI Analysis

Impact

The Gallery Blocks with Lightbox plugin allows the AJAX handler used for updating options to check only for the edit_posts capability, rather than the higher manage_options capability required for changing plugin settings. Consequently, any authenticated user with Contributor level access or higher can call the update action and set arbitrary settings that begin with pgc_sgb_ through the plugin’s UI. This flaw does not provide direct code execution, but it does allow the attacker to alter configuration values that may affect how media galleries are rendered or how lightbox functionality behaves.

Affected Systems

The vulnerability affects Mixed Media Gallery Blocks by gallerycreator, in all plugin releases up to and including version 3.3.0. Users running any of those versions are at risk unless they upgrade the plugin beyond 3.3.0.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate impact. The EPSS score of less than 1% suggests the likelihood of exploitation is very low at present. The flaw is not listed in the CISA KEV catalog, so there is no known active exploitation, but authenticated users of sufficient privilege can exploit the missing authorization check. PoC requires an AJAX request authenticated under Contributor or higher and the capability to modify pgc_sgb_* options in the database.

Generated by OpenCVE AI on April 21, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gallery Blocks with Lightbox plugin to a version newer than 3.3.0 where the update option handler validates the manage_options capability.
  • If an immediate upgrade is not possible, remove the edit_posts capability from any Contributor-level roles or replace those roles with stricter ones until the fix can be applied.
  • Verify the integrity of the plugin’s settings after upgrade or suspension of the affected roles, and monitor for unauthorized changes to any pgc_sgb_* options.

Generated by OpenCVE AI on April 21, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gallerycreator
Gallerycreator gallery Blocks With Lightbox
Wordpress
Wordpress wordpress
Vendors & Products Gallerycreator
Gallerycreator gallery Blocks With Lightbox
Wordpress
Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.
Title Gallery Blocks with Lightbox <= 3.3.0 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gallerycreator Gallery Blocks With Lightbox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:39.059Z

Reserved: 2025-12-08T19:16:10.267Z

Link: CVE-2025-14288

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:32.655Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:48.310

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses