CVE-2025-6726
BaseFortify
Publication date: 2025-07-18
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| krasen_slavov | block_editor_gallery_slider | 1.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Block Editor Gallery Slider WordPress plugin allows authenticated users with Subscriber-level access or higher to modify certain post metadata without proper authorization. This happens because the plugin's classic_gallery_slider_options() function lacks a capability check, enabling these users to update limited post meta for arbitrary posts.
How can this vulnerability impact me? :
This vulnerability can allow low-privileged authenticated users to make unauthorized changes to post metadata, potentially leading to data integrity issues or unauthorized content modifications on your WordPress site. While it does not allow full content changes or system compromise, it can affect the reliability and trustworthiness of post data.
What immediate steps should I take to mitigate this vulnerability?
Immediately deactivate and uninstall the Block Editor Gallery Slider plugin from your WordPress installation, as it has been temporarily closed and removed from download availability pending a full security review. Avoid using versions up to and including 1.1.1 until a secure update is released. Monitor official WordPress plugin repositories or the developer's announcements for a patched version before reinstallation. [1]