CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-25345

CVSS 9.9v3.1pub. 2026-03-25upd. 2026-04-24

Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-1284 (Improper Validation of Specified Quantity in Input) consists of a lack of proper verification of the quantity or scope of data transmitted by the user. This allows an authenticated attacker to access functionalities that should be protected by access control mechanisms (ACL). An attacker with basic privileges (e.g., subscriber level) can send a crafted network request without victim interaction, thereby gaining access to restricted resources or functions.

Impact

An attacker can execute arbitrary code on the server (Arbitrary Code Execution), which as a result can lead to complete takeover of the WordPress site, data leakage, content modification, or further lateral movement in the hosting infrastructure.

Mitigation & patch

The SimpLy Gallery plugin should be immediately updated to a version higher than 3.3.2. Details regarding the version containing the patch are available in the manufacturer's references and in the Patchstack database. Until the update is applied, it is recommended to deactivate the plugin on all WordPress installations.

Who is affected

SimpLy Gallery plugin (simply-gallery-block) by GalleryCreator — all versions from initial release through 3.3.2 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References