CVE-2025-12081: CWE-862 Missing Authorization in navzme ACF Photo Gallery Field
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level access and above, to modify the title, caption, and custom metadata of arbitrary media attachments.
AI Analysis
Technical Summary
CVE-2025-12081 is a missing authorization vulnerability (CWE-862) in the navzme ACF Photo Gallery Field WordPress plugin. The issue arises because the acf_photo_gallery_edit_save function lacks a capability check, enabling authenticated users with low privileges (subscriber and above) to modify metadata of media attachments arbitrarily. This can lead to unauthorized data modification within the plugin's scope. The vulnerability affects all versions up to 3.0. The CVSS 3.1 base score is 4.3, indicating a medium severity impact primarily on integrity. No patch or remediation details are provided, and the plugin is not a cloud service.
Potential Impact
Authenticated users with subscriber-level access or higher can modify titles, captions, and custom metadata of arbitrary media attachments without proper authorization. This impacts data integrity but does not affect confidentiality or availability. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user privileges to trusted users only and monitor for unauthorized changes to media metadata. Avoid granting subscriber or higher roles to untrusted users. Follow vendor communications for updates on patches or official fixes.
CVE-2025-12081: CWE-862 Missing Authorization in navzme ACF Photo Gallery Field
Description
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level access and above, to modify the title, caption, and custom metadata of arbitrary media attachments.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-12081 is a missing authorization vulnerability (CWE-862) in the navzme ACF Photo Gallery Field WordPress plugin. The issue arises because the acf_photo_gallery_edit_save function lacks a capability check, enabling authenticated users with low privileges (subscriber and above) to modify metadata of media attachments arbitrarily. This can lead to unauthorized data modification within the plugin's scope. The vulnerability affects all versions up to 3.0. The CVSS 3.1 base score is 4.3, indicating a medium severity impact primarily on integrity. No patch or remediation details are provided, and the plugin is not a cloud service.
Potential Impact
Authenticated users with subscriber-level access or higher can modify titles, captions, and custom metadata of arbitrary media attachments without proper authorization. This impacts data integrity but does not affect confidentiality or availability. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user privileges to trusted users only and monitor for unauthorized changes to media metadata. Avoid granting subscriber or higher roles to untrusted users. Follow vendor communications for updates on patches or official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-22T15:58:47.791Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69968d636aea4a407a3900c5
Added to database: 2/19/2026, 4:11:15 AM
Last enriched: 4/9/2026, 9:14:59 AM
Last updated: 5/21/2026, 8:34:50 PM
Views: 90
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.