CVE-2025-27276
Published: 24 February 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-27276 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the Photo Gallery (Responsive) WordPress plugin developed by lizeipe under the photo-gallery-pearlbells slug. Published on 2025-02-24, it enables privilege escalation and affects all versions from unknown initial release through 4.0 inclusive. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An unauthenticated attacker can exploit this CSRF flaw remotely with low complexity by tricking an authenticated user, such as an administrator, into interacting with a malicious webpage or clicking a forged link. This user interaction triggers unauthorized requests to the vulnerable plugin endpoints, allowing the attacker to escalate privileges on the WordPress site without prior access.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/photo-gallery-pearlbells/vulnerability/wordpress-photo-gallery-responsive-plugin-4-0-csrf-to-privilege-escalation-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CSRF vulnerability explicitly enables privilege escalation by allowing an unauthenticated attacker to trigger unauthorized privileged actions on the WordPress plugin via a tricked authenticated user, directly mapping to T1068 Exploitation for Privilege Escalation.