CVE-2025-12081
Unauthorized Data Modification in ACF Photo Gallery WordPress Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| navneil_naicker | navz_photo_gallery | to 3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate CVE-2025-12081, immediate steps include:'}, {'type': 'list_item', 'content': 'Update the navz-photo-gallery WordPress plugin to the latest version that includes the security patch addressing this vulnerability.'}, {'type': 'list_item', 'content': 'Ensure that nonce verification and user capability checks are properly enforced in the plugin, especially for the "acf_photo_gallery_edit_save" AJAX handler.'}, {'type': 'list_item', 'content': 'Restrict user permissions so that only trusted users have subscriber level access or higher, minimizing the risk of unauthorized data modification.'}, {'type': 'list_item', 'content': 'Monitor and audit media attachment metadata changes for suspicious activity.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, consider disabling or restricting access to the vulnerable plugin functionality temporarily.'}] [2, 4]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-12081 is a vulnerability in the ACF Photo Gallery Field plugin for WordPress, specifically in the function "acf_photo_gallery_edit_save". This function lacks proper capability checks, allowing authenticated users with subscriber-level access or higher to modify the title, caption, and custom metadata of any media attachments.'}, {'type': 'paragraph', 'content': 'Although the function performs nonce verification and input sanitization, it does not verify whether the user has permission to edit the specific media attachment, which can lead to unauthorized data modification.'}] [4]
How can this vulnerability impact me? :
This vulnerability allows attackers who are authenticated with at least subscriber-level access to modify arbitrary media attachments on a WordPress site using the affected plugin.
- Attackers can change the title, caption, and custom metadata of media files without proper authorization.
- Such unauthorized modifications can lead to misinformation, defacement, or manipulation of media content displayed on the website.
- It may also facilitate further attacks if manipulated media metadata is used in other parts of the site or integrated systems.
The vulnerability has a CVSS v3.1 base score of 4.3, indicating a low to medium severity impact primarily on integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of CVE-2025-12081 involves identifying unauthorized attempts to modify media attachment metadata via the vulnerable AJAX action "acf_photo_gallery_edit_save" in the navz-photo-gallery WordPress plugin.'}, {'type': 'paragraph', 'content': 'You can monitor HTTP requests to your WordPress site for POST requests targeting the AJAX endpoint with the action parameter set to "acf_photo_gallery_edit_save".'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., Apache or Nginx) to search for suspicious POST requests:'}, {'type': 'list_item', 'content': "grep 'action=acf_photo_gallery_edit_save' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep 'action=acf_photo_gallery_edit_save' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': 'Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests containing the vulnerable AJAX action.'}, {'type': 'list_item', 'content': "Example tcpdump filter: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'action=acf_photo_gallery_edit_save'"}, {'type': 'paragraph', 'content': 'Additionally, checking WordPress logs or enabling debug logging to capture unauthorized modification attempts to media attachments can help detect exploitation.'}] [1, 4]