CVE-2026-54190

Vulnerability

An unauthenticated broken access control vulnerability exists in the Envira Photo Gallery plugin for WordPress, version 1.12.5 and earlier. The plugin fails to properly check authorization, authentication, or nonce tokens in certain functions, allowing unprivileged users to perform higher-privileged actions. This issue affects all installations using the plugin up to and including the 1.12.5 release.

Exploitation

An attacker does not require authentication to exploit this vulnerability. By sending specially crafted requests to the affected plugin, an unauthenticated user can trigger functions that should normally be restricted to higher-privileged roles. No user interaction or specific network position is required, making the attack remotely exploitable.

Impact

Successful exploitation allows an unauthenticated attacker to perform actions normally reserved for privileged users, such as modifying gallery settings or accessing sensitive data. The impact is limited by the plugin's capabilities, but could lead to unauthorized data modification or information disclosure. The CVSS score of 6.5 indicates a moderate severity with high availability impact.

Mitigation

The vulnerability is fixed in version 1.12.6. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block attacks until the update can be applied. No workarounds other than updating or applying the rule are currently available. This vulnerability is expected to become exploited in mass campaigns, so prompt action is recommended [1].