Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery, CVE-2025-14288

CVE, Research URL: CVE-2025-14288
Home page URL: Security reports for Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Application: Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery
Published on: Dec 13, 2025
Research Description: The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.
Affected versions: max 3.3.1.
Status: vulnerable