Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
The vulnerability classified as CWE-1284 (Improper Validation of Specified Quantity in Input) consists of a lack of proper verification of the quantity or scope of data transmitted by the user. This allows an authenticated attacker to access functionalities that should be protected by access control mechanisms (ACL). An attacker with basic privileges (e.g., subscriber level) can send a crafted network request without victim interaction, thereby gaining access to restricted resources or functions.
An attacker can execute arbitrary code on the server (Arbitrary Code Execution), which as a result can lead to complete takeover of the WordPress site, data leakage, content modification, or further lateral movement in the hosting infrastructure.
The SimpLy Gallery plugin should be immediately updated to a version higher than 3.3.2. Details regarding the version containing the patch are available in the manufacturer's references and in the Patchstack database. Until the update is applied, it is recommended to deactivate the plugin on all WordPress installations.
SimpLy Gallery plugin (simply-gallery-block) by GalleryCreator — all versions from initial release through 3.3.2 inclusive.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H