CVE-2026-54190
Received Received - Intake
Unauthenticated Broken Access Control in Envira Photo Gallery

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Patchstack

Description
Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-54190
EUVD
EUVD-2026-37052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
envira_gallery envira_photo_gallery to 1.12.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated users to perform higher-privileged actions due to broken access control, which can lead to unauthorized access or modification of data.

Such unauthorized access or actions may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Therefore, if exploited, this vulnerability could potentially lead to violations of these regulations by exposing or altering protected information without proper authorization.

Executive Summary

The WordPress Envira Photo Gallery Plugin, versions 1.12.5 and below, contains a Broken Access Control vulnerability (CVE-2026-54190). This means that unauthenticated users can perform actions that should require higher privileges because the plugin lacks proper authorization, authentication, or nonce token checks.

This vulnerability allows attackers to bypass security controls and execute actions without proper permissions.

Impact Analysis

This vulnerability can be moderately dangerous as it allows unauthenticated users to perform privileged actions, potentially leading to unauthorized changes or disruptions.

It may be exploited in mass campaigns targeting thousands of websites, increasing the risk of widespread impact.

If exploited, it could lead to integrity and availability issues within the affected website or system.

Immediate action is recommended, such as updating the plugin to version 1.12.6 or later, or applying mitigation rules provided by Patchstack.

Detection Guidance

The vulnerability allows unauthenticated users to perform higher-privileged actions due to missing authorization, authentication, or nonce token checks in Envira Photo Gallery Plugin versions 1.12.5 and below.

Detection can involve monitoring for unusual or unauthorized access attempts to the Envira Photo Gallery plugin endpoints, especially those that perform privileged actions without authentication.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which may include detection signatures or firewall rules.

However, specific commands or detection scripts are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the Envira Photo Gallery plugin to version 1.12.6 or later, which contains the fix for this vulnerability.

If updating is not possible immediately, users should seek assistance from their hosting provider or web developer.

Additionally, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability is recommended until the plugin is updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart