A missing authorization check in the LCweb Global Gallery plugin allows attackers to bypass intended access controls and view or modify gallery items that should be limited to specific WordPress user roles. Classified as CWE‑862, the flaw can lead to disclosure of private media, unauthorized editing or deletion of site content, and disruption of normal user workflows, thereby compromising the confidentiality, integrity and availability of the site’s media repository.

The vulnerability affects all installations of the LCweb Global Gallery plugin for WordPress from unknown initial versions up to and including 9.2.3. Any WordPress site that has this plugin in a vulnerable version is impacted, regardless of the site’s overall configuration.

The CVSS score of 6.5 indicates a moderate to high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote via crafted HTTP requests to the plugin’s endpoints that assume higher privileges; the flaw relies on incorrect access control logic rather than a classic authentication bypass, so the attacker does not need to compromise an account beyond the default permission hierarchy. The vulnerability can be triggered over the public web by sending requests that exploit the insecure access control checks.