CVE-2025-12081 Overview
The ACF Photo Gallery Field plugin for WordPress contains an authorization bypass vulnerability due to a missing capability check on the acf_photo_gallery_edit_save function. This vulnerability affects all versions up to and including 3.0, allowing authenticated attackers with subscriber-level access or higher to modify the title, caption, and custom metadata of arbitrary media attachments without proper authorization.
Critical Impact
Authenticated users with minimal privileges (subscriber level) can modify metadata of any media attachment in the WordPress installation, potentially leading to defacement, SEO manipulation, or social engineering attacks.
Affected Products
- ACF Photo Gallery Field plugin for WordPress versions up to and including 3.0
- WordPress installations using the navz-photo-gallery plugin
Discovery Timeline
- 2026-02-19 - CVE CVE-2025-12081 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-12081
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a common weakness that occurs when software does not perform an authorization check when an actor attempts to access a resource or perform an action. In the context of the ACF Photo Gallery Field plugin, the acf_photo_gallery_edit_save function processes requests to modify media attachment metadata without verifying whether the requesting user has the appropriate capabilities to perform such modifications.
The attack can be conducted over the network by any authenticated user, regardless of their role level. Even subscribers—the lowest authenticated privilege level in WordPress—can exploit this vulnerability to alter media metadata they should not have access to modify.
Root Cause
The root cause lies in the absence of capability checks within the acf_photo_gallery_edit_save function located in includes/acf_photo_gallery_edit_save.php. WordPress provides built-in capability checking functions such as current_user_can() that should be used to verify user permissions before processing sensitive operations. The vulnerable function fails to implement these checks, allowing any authenticated request to proceed regardless of the user's actual authorization level.
Attack Vector
The vulnerability is exploitable via network-based requests by authenticated users. An attacker who has registered as a subscriber on a vulnerable WordPress site can craft requests to the acf_photo_gallery_edit_save function endpoint. The function, registered via WordPress AJAX hooks in navz-photo-gallery.php, accepts modification requests without validating that the requesting user has appropriate permissions (such as edit_posts or upload_files capabilities).
The attack scenario involves:
- Attacker creates or obtains a subscriber-level account on the target WordPress site
- Attacker identifies media attachment IDs (often predictable or enumerable)
- Attacker sends crafted requests to modify attachment metadata
- The vulnerable function processes the request without authorization checks
Since no code examples are available from verified sources, readers should refer to the WordPress Plugin File Overview for technical implementation details.
Detection Methods for CVE-2025-12081
Indicators of Compromise
- Unexpected modifications to media attachment titles, captions, or custom metadata
- AJAX requests to acf_photo_gallery_edit_save action from low-privilege user accounts
- Audit log entries showing media modifications by subscriber-level users
- Changes to media metadata that do not correlate with expected administrative activity
Detection Strategies
- Monitor WordPress AJAX endpoints for requests containing the acf_photo_gallery_edit_save action from non-administrative users
- Implement file integrity monitoring on media attachment metadata in the WordPress database
- Review user activity logs for unexpected media modification events from subscriber accounts
- Enable WordPress audit logging plugins to track all media-related changes with user attribution
Monitoring Recommendations
- Configure web application firewall (WAF) rules to alert on suspicious AJAX POST requests targeting photo gallery endpoints
- Implement database activity monitoring to detect bulk or suspicious updates to the wp_postmeta table related to attachments
- Set up alerts for media metadata changes originating from users without edit_posts capability
How to Mitigate CVE-2025-12081
Immediate Actions Required
- Update the ACF Photo Gallery Field plugin to a version newer than 3.0 that includes the security patch
- Review media attachment metadata for unauthorized modifications
- Audit subscriber and contributor user accounts for suspicious activity
- Consider temporarily disabling the plugin until the update can be applied
Patch Information
A security patch has been released for this vulnerability. The WordPress Plugin Changeset contains the remediation code that adds proper capability checks to the vulnerable function. Site administrators should update to the latest version of the plugin through the WordPress dashboard or by downloading directly from the WordPress plugin repository.
For additional vulnerability details and tracking, refer to the Wordfence Vulnerability Report.
Workarounds
- Restrict user registration on the WordPress site to prevent attackers from obtaining subscriber accounts
- Implement additional server-level access controls to block AJAX requests to the vulnerable endpoint from non-administrative users
- Use a security plugin to add capability checks at the request level before processing AJAX actions
# Temporary workaround: Add to wp-config.php to disable user registration
# This prevents new attackers from obtaining subscriber accounts
define('USERS_CAN_REGISTER', false);
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
