Description
Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a missing authorization flaw that enables users to bypass intended access controls. By exploiting incorrectly configured security levels, an attacker can view, modify, or delete gallery content that should be restricted. The weakness is classified as CWE‑862 and results in unauthorized data access, potentially undermining data confidentiality and integrity. The description provides no indication of remote code execution or denial of service.

Affected Systems

The flaw affects the FooPlugins FooGallery WordPress plugin. Any site running FooGallery version 3.1.11 or earlier is potentially impacted. The description does not enumerate specific minor releases beyond the threshold, so all releases through 3.1.11 are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium‑low severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to leverage incorrect access control settings within the plugin, implying a web‑application level attack that requires access to the WordPress administrative interface or knowledge of user roles.

Generated by OpenCVE AI on April 16, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FooGallery plugin to a version newer than 3.1.11 to apply the security fix.
  • Verify that the plugin’s access‑control settings restrict gallery visibility to authorized roles and that anonymous or low‑privilege users cannot access sensitive galleries.
  • If an upgrade is not possible, disable or remove the FooGallery plugin to eliminate the vulnerable functionality.

Generated by OpenCVE AI on April 16, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Fooplugins
Fooplugins foogallery
Wordpress
Wordpress wordpress
Vendors & Products Fooplugins
Fooplugins foogallery
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11.
Title WordPress FooGallery plugin <= 3.1.11 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Fooplugins Foogallery
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:49.914Z

Reserved: 2026-02-02T12:52:48.541Z

Link: CVE-2026-25363

cve-icon Vulnrichment

Updated: 2026-02-26T18:48:21.013Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:19.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T00:30:18Z

Weaknesses