– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-12081:
The ACF Photo Gallery Field plugin for WordPress, versions up to and including 3.0, contains a missing authorization vulnerability. The flaw allows authenticated attackers with subscriber-level permissions or higher to modify the title, caption, and custom metadata of arbitrary media attachments. This vulnerability stems from an insufficient capability check in the plugin’s AJAX handler for saving gallery edits.

Atomic Edge research identifies the root cause in the `acf_photo_gallery_edit_save()` function within the file `/navz-photo-gallery/includes/acf_photo_gallery_edit_save.php`. The vulnerable function, registered via `add_action( ‘wp_ajax_acf_photo_gallery_edit_save’, ‘acf_photo_gallery_edit_save’ )`, processes POST requests to update attachment metadata. The original code (lines 6-48) only verified a nonce and the presence of an `attachment_id` parameter. It lacked any check for the user’s capability to edit the target post, such as `current_user_can( ‘edit_post’, $attachment_id )`. This omission allowed any authenticated user to pass data to the `wp_update_post()` and `update_post_meta()` functions for any attachment ID.

Exploitation requires an authenticated WordPress session with at least subscriber-level access. Attackers send a POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the `action` parameter set to `acf_photo_gallery_edit_save`. The request must include a valid nonce, which is obtainable by a subscriber via the plugin’s interface, and parameters like `attachment_id`, `title`, `caption`, `acf_field_key`, and `acf_field_name`. By manipulating the `attachment_id`, an attacker can target any media library item. The `wp_update_post()` call modifies the attachment’s core fields, while the subsequent loop updates arbitrary custom metadata prefixed with the field name.

The patch, applied in version 3.1, adds a critical authorization check. In the updated `acf_photo_gallery_edit_save.php` file (lines 29-31), the function now validates `if ( ! current_user_can( ‘edit_post’, $attachment_id ) )` before processing updates. This check ensures the user has explicit permission to edit the specified attachment. The patch also improves input sanitization by using `absint()` and `wp_unslash()`, and it replaces `die()` with structured JSON responses. The authorization check directly addresses the missing capability verification that constituted the vulnerability.

Successful exploitation allows attackers to alter the title, caption, and linked custom metadata of any media attachment. This can lead to defacement if modified images are displayed on public sites, data integrity issues, and potential SEO manipulation. While the vulnerability does not grant direct file upload or deletion rights, it enables unauthorized content modification, which can be used in conjunction with other attacks or to spread misinformation. The impact is limited to the data controlled by the plugin’s metadata fields and does not escalate user privileges within WordPress itself.