Description
Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
Published: 2026-03-25
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper validation of a quantity value supplied by a user. This oversight allows an attacker to call protected functions that are not properly constrained by access control lists, leading to the ability to execute arbitrary code within the WordPress environment. The weakness is a direct example of an input validation flaw.

Affected Systems

Vendor GalleryCreator distributes the SimpLy Gallery WordPress plugin. Any installation of the plugin from the initial release through version 3.3.2 is affected. Administrators are encouraged to check the plugin version they have deployed and compare it against the stated limit.

Risk and Exploitability

A CVSS score of 9.9 indicates critical severity, while an EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not listed in the CISA KEV database, implying no confirmed exploits in the wild yet. An attacker would likely leverage HTTP requests crafted to submit an unvalidated quantity, thereby triggering the ACL bypass and code execution. The attack vector is inferred to be remote, via a web request, and would require the attacker to have access to the front‑end or an authenticated user session to submit the malicious input.

Generated by OpenCVE AI on March 27, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SimpLy Gallery to version 3.3.3 or later. If upgrading is not immediately possible, disable or remove the plugin to eliminate the threat. Ensure that any remaining installations are not exposed to unauthenticated users by restricting access to the relevant administrative pages.

Generated by OpenCVE AI on March 27, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gallerycreator
Gallerycreator simply Gallery
Wordpress
Wordpress wordpress
Vendors & Products Gallerycreator
Gallerycreator simply Gallery
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
Title WordPress SimpLy Gallery plugin <= 3.3.2 - Arbitrary Code Execution vulnerability
Weaknesses CWE-1284
References

Subscriptions

Gallerycreator Simply Gallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:37.476Z

Reserved: 2026-02-02T12:52:42.958Z

Link: CVE-2026-25345

cve-icon Vulnrichment

Updated: 2026-03-27T14:28:08.498Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:45.213

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-25345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:23Z

Weaknesses