CVE-2025-11448
📋 TL;DR
The Envira Photo Gallery WordPress plugin has a missing capability check on its bulk-convert REST API endpoint, allowing authenticated users with contributor-level access or higher to convert galleries to Envira galleries without proper authorization. This affects all WordPress sites using Envira Photo Gallery plugin versions up to and including 1.11.0.
💻 Affected Systems
- Envira Photo Gallery WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious contributor could convert all galleries to Envira format, potentially disrupting gallery functionality or enabling further attacks through gallery manipulation.
Likely Case
Contributor-level user converts galleries without authorization, causing minor site disruption or content modification.
If Mitigated
With proper user role management and plugin updates, impact is minimal to none.
🎯 Exploit Status
Exploitation requires contributor-level WordPress user account. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/global/convert_gallery/Convert_Gallery_REST.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Envira Photo Gallery. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.11.1+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable REST API endpoint via functions.php
allAdd code to theme's functions.php to remove the vulnerable endpoint
add_filter('rest_endpoints', function($endpoints) { if (isset($endpoints['/envira-convert/v1/bulk-convert'])) { unset($endpoints['/envira-convert/v1/bulk-convert']); } return $endpoints; });
Restrict user roles
allLimit contributor-level access or implement stricter user role management
🧯 If You Can't Patch
- Implement strict user role management - review and minimize contributor-level users
- Monitor WordPress REST API logs for '/envira-convert/v1/bulk-convert' endpoint access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for Envira Photo Gallery version. If version is 1.11.0 or lower, vulnerable.Check Version:
wp plugin list --name=envira-gallery-lite --field=version (if WP-CLI installed)Verify Fix Applied:
After update, verify plugin version shows 1.11.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- WordPress REST API logs showing POST requests to /envira-convert/v1/bulk-convert from non-admin users
- Unexpected gallery conversion events in plugin logs
Network Indicators:
- HTTP POST requests to /wp-json/envira-convert/v1/bulk-convert from authenticated sessions
SIEM Query:
source="wordpress" AND uri_path="/wp-json/envira-convert/v1/bulk-convert" AND http_method="POST" AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/global/convert_gallery/Convert_Gallery_REST.php?old=3379688&old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fglobal%2Fconvert_gallery%2FConvert_Gallery_REST.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/900e6528-f350-4e1b-80a5-aa01248323a8?source=cve
