CVE-2025-62104

Vulnerability

Overview The ACF Galerie 4 plugin for WordPress, versions from n/a through 1.4.2, contains a missing authorization vulnerability (broken access control). This means the plugin fails to properly verify that a user has the required permissions before allowing access to certain functions or data.[1] Specifically, the issue lies in incorrectly configured access control security levels, which could expose administrative actions to unprivileged users.

Attack

Vector and Exploitation The vulnerability requires no authentication, as it stems from a lack of authorization checks in one or more plugin functions. An attacker can exploit this by sending specially crafted requests to the WordPress site, bypassing normal permission checks. Because no nonce or capability verification is performed, the attack surface is widened, and exploitation does not depend on any user interaction.[1] This makes it possible for unauthenticated remote attackers to target the vulnerability.

Impact and

Consequences Successful exploitation could allow an attacker to perform unauthorized actions that should be restricted to higher-privileged users, such as modifying plugin settings or executing administrative tasks. The CVSS v3 score of 4.3 (Medium) indicates a moderate severity, with low impact on confidentiality and integrity, but note that the vulnerability could be chained in mass-exploit campaigns targeting thousands of sites.[1]

Mitigation

Status Patchstack has rated this vulnerability as low severity and unlikely to be exploited. Nevertheless, the vendor has released version 1.4.3 which fixes the missing authorization issue. Users are strongly advised to update to version 1.4.3 or later immediately. For Patchstack users, enabling auto-updates for vulnerable plugins can streamline protection. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended.[1]