CVE-2025-14170
Missing Authorization in Vimeo SimpleGallery Plugin Allows Settings Modification
Publication date: 2025-12-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vimeo | simplegallery | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Vimeo SimpleGallery plugin to a version later than 0.2 where the missing authorization checks have been fixed. If an update is not available, restrict Subscriber-level access or higher from modifying plugin settings, and monitor for unauthorized changes to plugin settings via the 'action' parameter.
Can you explain this vulnerability to me?
The vulnerability in the Vimeo SimpleGallery plugin for WordPress is a Missing Authorization issue in all versions up to 0.2. It occurs because the function 'vimeogallery_admin', which is hooked to 'admin_menu', lacks proper authorization checks. This allows authenticated users with Subscriber-level access or higher to modify arbitrary plugin settings by manipulating the 'action' parameter.
How can this vulnerability impact me? :
This vulnerability allows attackers with Subscriber-level access or higher to change plugin settings without proper authorization. This could lead to unauthorized modifications of the plugin's behavior, potentially compromising the integrity or functionality of the WordPress site.