CVE-2025-15524 Overview
The Gallery by FooGallery plugin for WordPress contains an authorization bypass vulnerability due to a missing capability check on the ajax_get_gallery_info() function. This flaw affects all versions up to and including 3.1.9, allowing authenticated attackers with Subscriber-level access or above to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs.
Critical Impact
Authenticated users with minimal privileges can access sensitive gallery metadata intended to be private, potentially exposing confidential media assets and organizational information.
Affected Products
- FooGallery WordPress Plugin versions up to and including 3.1.9
- WordPress installations with FooGallery plugin enabled
- Sites allowing user registration with Subscriber role or above
Discovery Timeline
- 2026-02-11 - CVE-2025-15524 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2025-15524
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), which occurs when a web application does not perform an authorization check when an actor attempts to access a resource. The ajax_get_gallery_info() function in the FooGallery plugin handles AJAX requests to retrieve gallery information but fails to verify whether the requesting user has appropriate permissions to access the requested gallery data.
The flaw allows any authenticated user, even those with the lowest privilege level (Subscriber), to query and retrieve metadata about galleries that should be restricted. This includes galleries marked as private, those in draft status, and galleries protected by passwords. The attack does not require any special conditions beyond basic authentication, making it easily exploitable by any registered user on the WordPress site.
Root Cause
The root cause lies in the missing capability check within the ajax_get_gallery_info() function located in the class-gallery-editor.php file. The function processes AJAX requests without verifying that the authenticated user has the necessary WordPress capability (such as edit_posts or manage_options) to view the requested gallery information. This oversight allows the function to return sensitive gallery metadata regardless of the user's role or the gallery's visibility status.
Attack Vector
The attack is network-based and requires only low-privileged authenticated access to the target WordPress installation. An attacker can exploit this vulnerability by registering a basic Subscriber account on the target WordPress site, then sending crafted AJAX requests to the vulnerable endpoint. By systematically enumerating gallery IDs, the attacker can discover and retrieve metadata from all galleries on the site, including those that administrators intended to keep private or restricted.
The exploitation process involves making POST requests to the WordPress AJAX handler (admin-ajax.php) with the appropriate action parameter targeting the ajax_get_gallery_info function while iterating through potential gallery ID values to enumerate and extract protected gallery metadata.
Detection Methods for CVE-2025-15524
Indicators of Compromise
- Unusual volume of AJAX requests to admin-ajax.php from low-privileged user accounts
- Sequential or pattern-based gallery ID enumeration attempts in server logs
- Subscriber-level accounts making requests to gallery information endpoints
- Unexpected access patterns to the ajax_get_gallery_info action
Detection Strategies
- Monitor WordPress AJAX request logs for suspicious patterns targeting gallery-related actions
- Implement rate limiting on AJAX endpoints to detect enumeration attempts
- Review user activity logs for Subscriber accounts accessing administrative functions
- Deploy web application firewall rules to detect gallery ID enumeration patterns
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests and review periodically
- Set up alerts for multiple failed or suspicious requests from single user accounts
- Monitor for new user registrations followed by immediate API enumeration activity
- Review access logs for unusual request patterns to class-gallery-editor.php endpoints
How to Mitigate CVE-2025-15524
Immediate Actions Required
- Update FooGallery plugin to a version newer than 3.1.9 that includes the security fix
- Audit existing user accounts for suspicious Subscriber-level accounts
- Review server logs for signs of previous exploitation attempts
- Consider temporarily disabling the FooGallery plugin until patching is complete
Patch Information
The vulnerability affects FooGallery versions up to and including 3.1.9. Administrators should update to the latest available version that addresses this missing capability check. For detailed technical information about the vulnerable code, refer to the WordPress FooGallery Class File and the Wordfence Vulnerability Report.
Workarounds
- Restrict user registration on WordPress sites using the FooGallery plugin until patched
- Implement additional access controls at the web server level for AJAX endpoints
- Use a web application firewall to filter suspicious requests to admin-ajax.php
- Consider implementing IP-based restrictions for administrative AJAX functions
# Configuration example: Block unauthorized AJAX requests via .htaccess
# Add to WordPress root .htaccess file as temporary mitigation
<IfModule mod_rewrite.c>
RewriteEngine On
# Block direct access to admin-ajax.php for non-admin users
# Note: This is a temporary workaround and may affect legitimate functionality
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=foogallery [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in.*admin [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
