Envira Photo Gallery Missing Capability Check Vulnerability Allowing Unauthorized Gallery Modifications

A vulnerability exists in the Envira Photo Gallery plugin for WordPress, specifically in versions through 1.12.0. The issue arises from a lack of proper capability checks in several functions, allowing authenticated attackers with Author-level access or higher to make unauthorized changes. This includes actions such as removing images from any gallery. While the vulnerability was partially addressed in version 1.12.0, it remains a concern for users of earlier versions.

Impact

Exploitation of this vulnerability allows for unauthorized removal of images from galleries, potentially leading to disruption of gallery content and presentation.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access must interact with the affected WordPress site. The user can then use the Envira Photo Gallery plugin's features that involve managing gallery images, such as the 'wp_ajax_envira_gallery_remove_image' or 'wp_ajax_envira_gallery_remove_images' actions. These actions can be triggered via AJAX requests without the necessary capability checks, allowing the user to remove images from galleries arbitrarily.

Remediation

Users are advised to update the Envira Photo Gallery plugin to version 1.12.1 or later, where this vulnerability has been patched.