CVE-2026-5347

Name of the Vulnerable Software and Affected Versions HM Books Gallery versions prior to 4.8.1

Description The plugin is subject to missing authorization due to the absence of capability checks and nonce verification within the admin init hook. Specifically, the code at lines 205-209 of wp-books-gallery.php only verifies the presence of the permalink structure POST parameter before updating the wbg cpt slug option, failing to ensure the request originates from an authenticated administrator. This allows unauthenticated attackers to modify the custom post type slug for the books gallery, altering the URL structure for all book entries and potentially disrupting existing links and SEO rankings.

Recommendations Update to a version later than 4.8.0.