Description
Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Block: from n/a through <= 1.5.1.
Published: 2025-12-09
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization flaw in the WordPress Photo Block plugin allows an attacker to perform actions beyond the intended permissions of the user. The vulnerability arises from incorrectly configured access control security levels, enabling users to access or modify photo block settings and content without proper authorization.

Affected Systems

The issue affects the Ronald Huereca Photo Block WordPress plugin, specifically all releases up to and including version 1.5.1. Users running these versions are at risk if the plugin remains activated.

Risk and Exploitability

The CVSS score of 2.7 indicates low overall severity, and the EPSS score of less than 1% reflects a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an authenticated user with limited privileges who can exploit the improperly configured access controls. The requirement for an authenticated session and the absence of publicly disclosed exploits suggest that the risk is primarily to users who have administrative or editor roles within the WordPress installation.

Generated by OpenCVE AI on April 29, 2026 at 13:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Photo Block plugin to a version newer than 1.5.1 to apply the vendor fix.
  • If upgrading is not immediately possible, disable the Photo Block plugin until a patched version is installed to prevent unauthorized access.
  • Review and tighten role permissions, ensuring that only administrators can manage plugin settings or content to reduce the attack surface.

Generated by OpenCVE AI on April 29, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ronald Huereca Photo Block photo-block allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Block: from n/a through <= 1.5.1.
Title WordPress Photo Block plugin <= 1.5.1 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:27:56.867Z

Reserved: 2025-10-29T03:08:17.828Z

Link: CVE-2025-64254

cve-icon Vulnrichment

Updated: 2025-12-11T19:05:13.018Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:14.540

Modified: 2026-04-28T22:16:26.347

Link: CVE-2025-64254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:45:12Z

Weaknesses