CVE-2025-15524
Unauthorized Data Access in FooGallery WordPress Plugin via Missing Capability Check
Publication date: 2026-02-11
Last updated on: 2026-02-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| foogallery | foogallery | to 3.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Gallery by FooGallery plugin for WordPress has a vulnerability due to a missing capability check in the ajax_get_gallery_info() function in all versions up to and including 3.1.9.
This flaw allows authenticated attackers with Subscriber-level access or higher to retrieve metadata such as the name, image count, and thumbnail URL of private, draft, and password-protected galleries by enumerating gallery IDs.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive gallery metadata that is intended to be private or restricted.
Attackers with low-level authenticated access can enumerate gallery IDs to access information about private, draft, or password-protected galleries, potentially exposing confidential or sensitive content details.
While the vulnerability does not allow modification or deletion of data, the exposure of metadata could aid attackers in further reconnaissance or targeted attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the ajax_get_gallery_info() AJAX endpoint of the FooGallery plugin with an authenticated user account having Subscriber-level access or higher.'}, {'type': 'paragraph', 'content': 'You can test for unauthorized access by enumerating gallery IDs and checking if metadata (name, image count, thumbnail URL) of private, draft, or password-protected galleries is returned without proper capability checks.'}, {'type': 'paragraph', 'content': 'A possible command using curl to test this (replace URL, nonce, and gallery ID accordingly) is:'}, {'type': 'list_item', 'content': "curl -X POST -b 'wordpress_logged_in=your_auth_cookie' -d 'action=foogallery_ajax_get_gallery_info&gallery_id=GALLERY_ID&_ajax_nonce=NONCE_VALUE' https://yourwordpresssite.com/wp-admin/admin-ajax.php"}, {'type': 'paragraph', 'content': 'If the response returns gallery metadata for galleries that should be private or restricted, the vulnerability is present.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the FooGallery plugin to a version later than 3.1.9 where this vulnerability is fixed.
If an update is not immediately possible, restrict access to the ajax_get_gallery_info() AJAX endpoint by limiting access to trusted users only or by implementing additional server-side access controls.
Additionally, review and tighten user roles and permissions to ensure that only trusted users have Subscriber-level or higher access.
Monitoring and logging AJAX requests to detect unusual enumeration attempts can also help in early detection and response.