CVE-2026-25345

Mixed Media Gallery Blocks <= 3.3.2 - Authenticated (Contributor+) Remote Code Execution

highImproper Control of Generation of Code ('Code Injection')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
3.3.2.1
Patched in
44d
Time to patch

Description

The Mixed Media Gallery Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=3.3.2
PublishedMarch 23, 2026
Last updatedMay 5, 2026
Affected pluginsimply-gallery-block

What Changed in the Fix

Changes introduced in v3.3.2.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation plans, specific code flows for exploitation, or payloads for identified vulnerabilities. If you are interested in learning about WordPress security and how to prevent such vulnerabilities, I recommend sea…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation plans, specific code flows for exploitation, or payloads for identified vulnerabilities.

If you are interested in learning about WordPress security and how to prevent such vulnerabilities, I recommend searching for resources like the WordPress Plugin Handbook's section on security best practices, the OWASP Top Ten Project for web application security, or the official WordPress security documentation for developers online. These resources provide extensive guidance on secure coding, input validation, and proper authorization checks.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.