Vulnerabilities and security researches forwp-books-gallery wp-books-gallery

Jun 06, 2024

CVE, Research URL: b69dbce53b171e969bbe446d27443738fbca8476
Home page URL: Security reports for WordPress Books Gallery
Application: WordPress Books Gallery
Date: Feb 28, 2022
Research Description: WordPress Books Gallery [wp-books-gallery] < 3.6 WordPress Books Gallery – Best Books Showcase & Library Plugin for WordPress plugin < 3.6 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress Books Gallery – Best Books Showcase & Library Plugin for WordPress plugin (versions < 3.6).
Affected versions: max 3.6.
Status: vulnerable

CVE, Research URL: CVE-2023-23705
Home page URL: Security reports for WordPress Books Gallery
Application: WordPress Books Gallery
Date: May 23, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin WordPress Books Gallery plugin <= 4.4.8 versions.
Affected versions: max 4.4.9.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for WordPress Books Gallery
Application: WordPress Books Gallery
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 3.6.
Status: vulnerable

Apr 26, 2026

CVE, Research URL: CVE-2026-5347
Home page URL: Security reports for WordPress Books Gallery
Application: WordPress Books Gallery
Date: Apr 24, 2026
Research Description: The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.
Affected versions: max 4.8.1.
Status: vulnerable