The vulnerability identified as CVE-2025-12081 affects the ACF Photo Gallery Field plugin developed by navzme for WordPress, specifically all versions up to and including 3.0. The root cause is a missing authorization check in the function acf_photo_gallery_edit_save, which is responsible for saving edits to photo gallery media attachments. Due to this missing capability check, any authenticated user with at least subscriber-level access can modify the title, caption, and custom metadata of arbitrary media attachments on the affected WordPress sites. This vulnerability falls under CWE-862 (Missing Authorization), indicating that the plugin fails to properly verify user permissions before allowing modifications. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that exploitation requires network access and low privileges but does not impact confidentiality or availability, only integrity. There is no requirement for user interaction beyond authentication, and no known exploits have been reported in the wild. The vulnerability could be leveraged to manipulate website content, potentially misleading users or damaging the credibility of the site. Since media attachments are often publicly visible, unauthorized changes could be used for defacement or misinformation. The lack of patches currently necessitates interim mitigations. The vulnerability was published on February 19, 2026, with the issue reserved in October 2025. The plugin is widely used in WordPress environments, making this a relevant concern for many organizations relying on WordPress for content management.

For European organizations, the primary impact of CVE-2025-12081 is on the integrity of web content managed via WordPress sites using the ACF Photo Gallery Field plugin. Unauthorized modification of media metadata can lead to misinformation, brand damage, and loss of user trust. Although confidentiality and availability are not directly affected, the integrity compromise can have reputational and operational consequences, especially for media companies, e-commerce platforms, and public sector websites that rely heavily on accurate media presentation. Attackers with subscriber-level access could manipulate media metadata to mislead visitors or embed misleading information. This could also be a vector for social engineering or phishing if attackers alter media descriptions to include malicious links or false claims. The vulnerability does not allow remote unauthenticated exploitation, limiting the attack surface to users with some level of access, but subscriber accounts are common and often less monitored. Therefore, organizations with large user bases or weak user access controls are at higher risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

European organizations should implement the following specific mitigations: 1) Immediately audit user roles and permissions in WordPress to ensure subscriber-level accounts have minimal privileges and are granted only when necessary. 2) Restrict the ability to upload or edit media attachments to trusted roles above subscriber level where possible. 3) Monitor media metadata changes closely using WordPress logging plugins or SIEM integrations to detect unauthorized modifications. 4) Employ web application firewalls (WAFs) with custom rules to detect anomalous requests targeting the acf_photo_gallery_edit_save function. 5) Educate site administrators and content managers to review media metadata regularly for suspicious changes. 6) Keep WordPress core and all plugins updated and subscribe to vendor advisories for prompt patch deployment once available. 7) Consider temporarily disabling or replacing the ACF Photo Gallery Field plugin if the risk is unacceptable and no patch is available. 8) Implement multi-factor authentication (MFA) for all user accounts to reduce the risk of compromised credentials being used to exploit this vulnerability.