CVE-2025-11448

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Envira Photo Gallery versions up to and including 1.11.0

Description The Envira Photo Gallery plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check on the /envira-convert/v1/bulk-convert API endpoint. Authenticated attackers with contributor-level access or higher can convert galleries to Envira galleries. The vulnerable parameter is not specified.

Recommendations Update Envira Photo Gallery to a version newer than 1.11.0.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-11448

Affected Products

Envira Photo Gallery

CVE-2025-11448

Weakness Enumeration

Related Identifiers

Affected Products

References · 7