Envira Gallery Lite is a popular WordPress gallery plugin with 100k+ installs, commonly used to build image galleries as a custom post type (envira). Galleries are frequently curated for portfolios, product pages, and editorial content, making integrity of gallery composition important. CVE-2025-12377 describes an incorrect authorization flaw in the AJAX image removal workflow: instead of enforcing object-level permissions on the target gallery, the handler accepts only the broad edit_posts capability. This means any user who can edit their own posts (e.g., Author) can tamper with any Envira gallery by removing images from it—without owning the gallery—resulting in visual defacement and content integrity loss.
| CVE | CVE-2025-12377 |
| Plugin Version | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 |
| Critical | High |
| All Time | 7 281 234 |
| Active installations | 100 000+ |
| Publicly Published | November 12, 2025 |
| Last Updated | November 12, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12377 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/envira-gallery-lite/gallery-plugin-for-wordpress-envira-photo-gallery-1120-missing-authorization-to-authenticated-author-multiple-gallery-actions |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| October 14, 2025 | Plugin testing and vulnerability detection in the Gallery Plugin for WordPress – Envira Photo Gallery have been completed |
| October 14, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| November 12, 2025 | Registered CVE-2025-12377 |
Discovery of the Vulnerability
The vulnerable endpoint is the AJAX handler behind envira_gallery_remove_image(). The implementation checks only a generalized capability (edit_posts) rather than verifying that the user is authorized to edit the specific Envira gallery post (e.g., current_user_can('edit_post', $post_id)). With a valid nonce for the action envira-gallery-remove-image, the handler will accept an attacker-controlled post_id (victim gallery) and attachment_id (target image) and proceed to detach the image from that gallery. Importantly, the media file is not deleted; the plugin updates gallery metadata (_eg_gallery_data, _eg_in_gallery, _eg_has_gallery) to remove the association—causing the image to disappear from the victim gallery view.
Understanding of Missing Auth attack’s
WordPress security relies on capability checks that must be scoped to the object being modified. Using edit_posts only indicates the user can edit some posts, not this post. Correct design requires current_user_can('edit_post', $post_id) (or a stricter capability based on the custom post type) before performing any modification. Authorization mistakes like this are common in plugin AJAX endpoints that accept IDs in POST parameters. The practical effect is IDOR-like tampering: attackers can modify objects they do not own by supplying victim IDs, even though they’re authenticated and have only limited roles.
Exploiting the Stored XSS Vulnerability
To exploit CVE-2025-12377, an attacker with Author+ cookies:
POC:
Log in as a user with edit_posts (e.g., Author). Open: http://127.0.0.1/wordpress/wp-admin/post-new.php?post_type=envira From the page source or DevTools, extract the nonce issued for the remove action (look for a field named nonce used with the action envira-gallery-remove-image). You can also capture it from your own gallery editor when removing any image legitimately—the same nonce value is accepted by the vulnerable endpoint. From the public blog page that renders the victim gallery, determine the gallery post ID and the image (attachment) ID you want to remove. On Envira front-end these IDs are typically discoverable in the markup (e.g., a data attribute or the attachment page URL such as ?attachment_id=789). Take note of: post_id = the victim Envira gallery post ID attachment_id = the ID of the image inside that gallery Send the forged AJAX request using your Author session cookies. Minimal curl: curl -i -sS -X POST 'http://127.0.0.1/wordpress/wp-admin/admin-ajax.php' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -H 'Cookie: wordpress_logged_in=YOUR_AUTHOR_SESSION_COOKIE' \ --data 'action=envira_gallery_remove_image&nonce=NONCE_FROM_STEP1&post_id=VICTIM_GALLERY_ID&attachment_id=TARGET_ATTACHMENT_ID' Observe the effect. The response is true and, after refresh, the chosen image disappears from the victim gallery grid. The media file and its attachment post still exist in the Media Library (no physical deletion occurs); only the link between that attachment and the gallery is removed, which visually defaces the gallery’s composition.____
This vulnerability enables content tampering/defacement at scale. On portfolio sites, attackers can remove key showcase images; on product pages, they can strip critical product visuals; on editorial sites, they can subtly alter published galleries to misrepresent events. Because the media file remains intact, detection may be delayed—admins may assume a rendering glitch rather than deliberate sabotage. In multi-author environments, this becomes a realistic insider threat: any Author can sabotage galleries created by other users, harming brand trust and potentially impacting revenue or reputation.
Recommendations for Improved Security
- Enforce object-level permission checks
Replace broad checks likecurrent_user_can('edit_posts')with:
current_user_can('edit_post', $post_id)
and confirm$post_idis an Envira gallery post type.
- Scope nonces to the target object
Tie the nonce to the gallery ID (e.g.,wp_create_nonce("envira-remove-$post_id")) and validate against that same context. - Validate input integrity
Ensure the specifiedattachment_idis actually part of the specified gallery before updating meta structures. - Audit similar endpoints
Review other Envira AJAX handlers that acceptpost_id/attachment_idparameters to confirm they enforce object-scoped authorization. - Monitoring and alerting
Log removal events (user ID, IP, gallery ID, attachment ID) and alert administrators on abnormal removal patterns.
By taking proactive measures to address XSS vulnerabilities like CVE-2025-12377 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.