CVE-2024-43925 – WordPress Envira Gallery Lite plugin <= 1.8.14 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43925
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.14. The Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the envira_gallery_ajax_load_gallery_data() function in versions up to, and including, 1.8.14. This makes it possible for authenticated attackers, with contributor-level access and above, to edit other users galleries. • https://patchstack.com/database/vulnerability/envira-gallery-lite/wordpress-envira-gallery-lite-plugin-1-8-14-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2024-37095 – WordPress Envira Photo Gallery plugin <= 1.8.7.3 - Missing Authorization vulnerability
https://notcve.org/view.php?id=CVE-2024-37095
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3. The Envira Photo Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.7.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/envira-gallery-lite/wordpress-envira-photo-gallery-plugin-1-8-7-3-csrf-leading-to-notice-dismissal-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •