Security Alert Summary
The Image Gallery 6 Photo Grid & Video Gallery plugin for WordPress contains a missing capability check in the add_images_to_gallery_callback() function in all versions up to and including 2.13.3. Authenticated users with Author-level access and above can add images to Modula galleries owned by other users, resulting in an integrity impact on gallery content.
CVE Details
- CVE ID: CVE-2025-14003
- Affected plugin / component: The Image Gallery 6 Photo Grid & Video Gallery plugin for WordPress
- Affected versions: All versions up to, and including, 2.13.3
- Fixed version: Not specified in the CVE entry
- Published: December 15, 2025 at 3:15:48 PM
- Last modified: December 15, 2025 at 6:22:13 PM
- CVSS v3.1: Base Score 4.3, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW (Author-level or above)
- User Interaction: NONE
- Scope: UNCHANGED
- Confidentiality Impact: NONE
- Integrity Impact: LOW
- Availability Impact: NONE
- CWE / Weakness ID: CWE-862
Technical Details
The vulnerability is caused by a missing capability check in the add_images_to_gallery_callback() function. Because the function does not verify that the requesting user has permission to modify a specific Modula gallery, authenticated users with Author-level access or higher can add images to galleries that belong to other users. The issue arises from inadequate authorization checks rather than a flaw in authentication or input handling.
The practical consequence is an integrity impact on gallery content: an attacker who can authenticate as an Author (or higher) may insert images into another user’s gallery. The CVE description does not name additional functions, REST endpoints, or specific request parameters beyond the referenced callback, and no further exploitation details are provided in the entry.
How This Could Impact Your Website
Consider a small business site where multiple contributors and authors manage portfolio galleries. A staff member or external contributor with Author-level access could, intentionally or accidentally, add images into galleries owned by other users. This may lead to unauthorized content appearing on pages or in portfolios, which can harm site presentation or brand trust and could be used to place misleading or malicious images that facilitate social engineering against site visitors or staff.
The CVSS metrics indicate the primary impact is to integrity (ability to modify gallery content) and not confidentiality or availability. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and Authors who do not need gallery modification rights.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and gallery changes for unusual behavior or unauthorized content additions.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
