Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27276

CVE-2025-27276: Photo Gallery Plugin CSRF Vulnerability

CVE-2025-27276 is a Cross-Site Request Forgery flaw in Photo Gallery (Responsive) plugin that enables privilege escalation attacks. This article covers the technical details, affected versions up to 4.0, and mitigation.

Updated:

CVE-2025-27276 Overview

CVE-2025-27276 is a Cross-Site Request Forgery (CSRF) vulnerability in the lizeipe Photo Gallery (Responsive) WordPress plugin, also known as photo-gallery-pearlbells. The flaw affects all plugin versions up to and including 4.0. An attacker who tricks an authenticated WordPress administrator into clicking a crafted link or visiting a malicious page can force the victim's browser to submit privileged requests. Successful exploitation leads to privilege escalation, allowing the attacker to gain elevated access within the affected WordPress site. The vulnerability is classified under CWE-352.

Critical Impact

Successful exploitation allows attackers to escalate privileges on WordPress sites running Photo Gallery (Responsive) plugin versions through 4.0, potentially leading to full site compromise.

Affected Products

  • lizeipe Photo Gallery (Responsive) WordPress plugin (photo-gallery-pearlbells)
  • All versions up to and including 4.0
  • WordPress installations with the vulnerable plugin active

Discovery Timeline

  • 2025-02-24 - CVE-2025-27276 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-27276

Vulnerability Analysis

The Photo Gallery (Responsive) plugin fails to validate the origin of state-changing requests submitted to its administrative endpoints. The plugin does not enforce anti-CSRF tokens (nonces) on sensitive actions, which WordPress provides through its wp_nonce_field() and check_admin_referer() APIs. As a result, the plugin trusts any authenticated request that arrives with valid session cookies, regardless of where it originated.

Attackers exploit this trust by crafting HTML pages that automatically submit forms or trigger requests to the vulnerable plugin endpoints. When a logged-in administrator visits the attacker-controlled page, the browser attaches authentication cookies to the forged request. The plugin processes the request as if the administrator initiated it.

The impact extends beyond a typical CSRF flaw because the affected actions perform privilege-changing operations. Exploitation requires user interaction, specifically luring an authenticated user with sufficient privileges to visit a malicious page. The EPSS probability for this CVE is 0.22%.

Root Cause

The root cause is missing CSRF protection on privileged plugin actions. The vulnerable handlers do not call WordPress nonce verification functions such as wp_verify_nonce() or check_admin_referer() before performing state changes. This omission violates the WordPress Plugin Handbook's security guidance for processing admin-area requests.

Attack Vector

The attack is delivered over the network and requires user interaction from an authenticated WordPress user. An attacker hosts a malicious page containing a hidden form or JavaScript payload targeting the vulnerable plugin endpoint. The attacker then delivers the link through phishing email, social media, or compromised third-party content. When the victim's authenticated browser session loads the page, the forged request executes with the victim's privileges, granting the attacker elevated access on the target site. Refer to the Patchstack advisory for additional technical context.

Detection Methods for CVE-2025-27276

Indicators of Compromise

  • Unexpected creation or modification of WordPress administrator accounts.
  • HTTP POST requests to photo-gallery-pearlbells plugin endpoints with Referer headers pointing to external or untrusted domains.
  • WordPress audit logs showing privilege changes initiated immediately after an admin loaded an external link.
  • New user roles or capability changes that do not correspond to legitimate administrative activity.

Detection Strategies

  • Inspect web server access logs for requests to plugin admin endpoints lacking valid _wpnonce parameters.
  • Correlate browser-driven requests to the plugin with off-site Referer headers as a CSRF signal.
  • Monitor WordPress user metadata tables (wp_usermeta) for unexpected wp_capabilities changes.
  • Deploy WordPress security plugins or web application firewall rules that flag missing nonce values on privileged actions.

Monitoring Recommendations

  • Enable WordPress audit logging to capture user role and capability changes in real time.
  • Forward web server and WordPress logs to a centralized SIEM for correlation across authentication and privilege events.
  • Alert on administrator session activity that immediately follows navigation to external domains.

How to Mitigate CVE-2025-27276

Immediate Actions Required

  • Identify all WordPress sites running the Photo Gallery (Responsive) plugin and verify the installed version.
  • Deactivate and remove the photo-gallery-pearlbells plugin if a patched version is not available.
  • Audit administrator accounts and user capabilities for unauthorized changes since the plugin was installed.
  • Force password resets and revoke active sessions for privileged WordPress users.

Patch Information

At the time of publication, no fixed version beyond 4.0 is referenced in the available advisory. Site operators should consult the Patchstack advisory for CVE-2025-27276 for the latest remediation status and any vendor-released update.

Workarounds

  • Remove the plugin until a verified patched release is available.
  • Apply a web application firewall rule that enforces same-origin Referer and Origin validation on wp-admin requests targeting the plugin.
  • Restrict administrator browsing by using dedicated browser profiles or sessions for WordPress management.
  • Train administrators to avoid clicking untrusted links while logged into WordPress.
bash
# Example WordPress hardening: restrict admin access by IP via .htaccess
<Files wp-admin>
  Require ip 203.0.113.0/24
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.