CVE-2025-62098

Root

Cause

The Portfolio Gallery plugin for WordPress, developed by totalsoft, contains a missing authorization (broken access control) vulnerability in versions up to and including 1.4.8 [1]. The plugin fails to properly verify user capabilities or nonce tokens before executing certain functions, allowing attackers to bypass intended access controls [1].

Attack

Vector

An attacker who is an unauthenticated or low-privileged user (e.g., subscriber) can exploit this missing authorization to perform actions that should require higher-level permissions, such as managing gallery settings or content [1]. No special network position is required; the attack can be carried out over HTTP against any WordPress site running the vulnerable plugin [1].

Impact

Successful exploitation allows the attacker to incorrectly configure gallery access control security levels, potentially leading to unauthorized modification or disclosure of gallery data [1]. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of WordPress sites, regardless of their size or popularity [1].

Mitigation

The vendor has released a patched version; users are strongly advised to update the Portfolio Gallery plugin immediately [1]. If an immediate update is not possible, it is recommended to contact your hosting provider or a web developer for assistance [1].