Unauthorized Data Modification Vulnerability in Envira Photo Gallery Plugin for WordPress
CVE-2023-6742

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Gallery Plugin for WordPress – Envira Photo Gallery
Vendor: CVE Published:; 11 January 2024

Summary

The Envira Photo Gallery plugin for WordPress is susceptible to a vulnerability allowing authenticated attackers, with contributor access or higher, to execute unauthorized modifications of gallery data. This occurs due to inadequate capability checks in the 'envira_gallery_insert_images' function, thereby potentially affecting the integrity of media galleries across user posts. All versions up to and including 1.8.7.1 are impacted, making it crucial for users to apply available updates and ensure proper permissions for their WordPress installations. Immediate action is recommended to mitigate risks associated with this vulnerability.

Affected Version(s)

Gallery Plugin for WordPress – Envira Photo Gallery * <= 1.8.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/envira-gallery...

https://plugins.trac.wordpress.org/changeset/3017115/envi...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 11, 2024
Vulnerability Reserved
Dec 12, 2023

Credit

Nex Team