CVE-2025-14003
📋 TL;DR
This vulnerability allows authenticated WordPress users with Author-level permissions or higher to add images to Modula galleries owned by other users. It affects all versions of the Image Gallery – Photo Grid & Video Gallery plugin up to 2.13.3. The issue stems from missing capability checks in the add_images_to_gallery_callback() function.
💻 Affected Systems
- Image Gallery – Photo Grid & Video Gallery (Modula Best Grid Gallery) WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious authors could deface galleries, insert inappropriate content, or potentially chain with other vulnerabilities for further compromise.
Likely Case
Authors adding unauthorized images to galleries they don't own, causing content integrity issues.
If Mitigated
Minimal impact with proper user role management and monitoring.
🎯 Exploit Status
Exploitation requires authenticated access with Author privileges or higher.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.13.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3414176/modula-best-grid-gallery
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Image Gallery – Photo Grid & Video Gallery'. 4. Click 'Update Now' if available, or manually update to version 2.13.4+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Temporarily disable plugin
allDeactivate the vulnerable plugin until patched
wp plugin deactivate modula-best-grid-gallery
Restrict user roles
allReview and minimize users with Author or higher privileges
🧯 If You Can't Patch
- Review and audit all users with Author or higher permissions, removing unnecessary privileges
- Implement monitoring for gallery modification activities and review logs regularly
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.13.3 or lower, system is vulnerable.Check Version:
wp plugin get modula-best-grid-gallery --field=versionVerify Fix Applied:
Confirm plugin version is 2.13.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual gallery modification activity from Author-level users
- Multiple image additions to galleries not owned by the user
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=modula_add_images
SIEM Query:
source="wordpress" action="modula_add_images" user_role="author" OR user_role="editor" OR user_role="administrator"