What the vulnerability does
01Description
The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter.
Explanation of Vulnerability in Simple Terms
02Summary
Vimeo SimpleGallery versions 0.2 and earlier lack proper authorization checks, allowing authenticated users to modify gallery content they should not have access to. An attacker with low-level site access can alter or corrupt galleries belonging to other users or administrators. The vulnerability requires an existing user account but no special privileges.
What an attacker can do
03Attacker Capabilities
Modify or delete galleries belonging to other users without permission.
Potential impact on your site
04Site Impact
Galleries can be altered or deleted by unauthorized users, risking data loss and site integrity.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site.
Key dates
06Disclosure timeline
December 12, 2025
CVE published
April 8, 2026
Record updated