Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
ACF Photo Gallery Field plugin on WordPress allows attackers to change media data
CVE-2025-12081
Summary
The ACF Photo Gallery Field plugin for WordPress has a security flaw that lets attackers with subscriber-level access or higher change the title, caption, and metadata of any media files. This could be a concern for sites where security is not a top priority or where attackers have gained a high level of access. To fix the issue, update the plugin to a version newer than 3.0 or consider using a different gallery plugin.
Original title
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions u...
Original description
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level access and above, to modify the title, caption, and custom metadata of arbitrary media attachments.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/navz-photo-gallery/tags/3.0/includes/...
- https://plugins.trac.wordpress.org/browser/navz-photo-gallery/tags/3.0/navz-phot...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d52a1c67-e20d-4390-9d0...
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026