CVE-2025-11448 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Envira Photo Gallery plugin for WordPress, developed by smub. The issue arises from the absence of a proper capability check on the REST API endpoint '/envira-convert/v1/bulk-convert', which is responsible for converting galleries to Envira galleries. This endpoint is accessible to authenticated users with contributor-level privileges or higher, allowing them to perform unauthorized modifications to gallery data. The vulnerability affects all versions up to and including 1.11.0. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact is limited to integrity (I:L) with no confidentiality (C:N) or availability (A:N) impact. Since contributors typically have limited permissions, the risk is constrained but still significant because unauthorized data modification can affect website content and user trust. No patches or exploits are currently known, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability is particularly relevant for websites that allow multiple contributors or editors to manage content and use the Envira Photo Gallery plugin for media management.

The primary impact of CVE-2025-11448 is unauthorized modification of gallery data within WordPress sites using the Envira Photo Gallery plugin. This can lead to content integrity issues, such as galleries being converted without proper authorization, potentially disrupting website presentation and user experience. While confidentiality and availability are not directly affected, the integrity compromise can undermine trust in the affected websites and may be leveraged as part of a broader attack chain. Organizations with multiple contributors or editors who have contributor-level access are at higher risk, especially if those users are untrusted or compromised. The vulnerability could be exploited to manipulate visual content, which might be critical for e-commerce, portfolio, or media-heavy websites. Although no exploits are currently known in the wild, the public disclosure increases the risk of future exploitation. The impact is global but more pronounced in regions with high WordPress adoption and extensive use of this plugin.

1. Immediately restrict contributor-level access to trusted users only, minimizing the risk of exploitation by untrusted or compromised accounts. 2. Monitor and audit REST API usage, specifically calls to '/envira-convert/v1/bulk-convert', to detect any unauthorized or suspicious activity. 3. Disable or restrict the Envira Photo Gallery plugin if it is not essential, or consider alternative plugins with better security track records. 4. Apply principle of least privilege to all WordPress user roles, ensuring contributors do not have unnecessary permissions. 5. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 6. Implement Web Application Firewall (WAF) rules to detect and block unauthorized API calls targeting the vulnerable endpoint. 7. Educate site administrators and contributors about the risks of unauthorized API access and encourage strong authentication practices. 8. Regularly back up website data to enable recovery in case of unauthorized modifications.