CVE-2026-25345
Published: 25 March 2026
Summary
CVE-2026-25345 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation requires patching the specific improper input validation vulnerability in the Simply Gallery plugin up to version 3.3.2, directly preventing exploitation leading to arbitrary code execution.
Information input validation enforces proper checking of specified quantity in inputs, directly countering CWE-1284 and blocking the vulnerability's exploitation in the WordPress plugin.
Access enforcement ensures functionality in the plugin is properly constrained by ACLs, preventing low-privileged attackers from accessing unauthorized capabilities resulting in high-impact RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote ACL bypass in a public-facing WordPress plugin that directly results in arbitrary code execution (RCE) from a low-privileged account. This maps to T1190 (exploiting the public-facing web app for initial access), T1068 (post-auth exploitation achieving scope change and full system control), and T1505.003 (common outcome of installing or executing a web shell for code execution and persistence).
NVD Description
Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
Deeper analysisAI
CVE-2026-25345 is an Improper Validation of Specified Quantity in Input vulnerability (CWE-1284) in the GalleryCreator SimpLy Gallery simply-gallery-block WordPress plugin. This issue affects all versions from n/a through 3.3.2 and enables accessing functionality not properly constrained by access control lists (ACLs).
A low-privileged remote attacker (PR:L), such as a WordPress subscriber, can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation achieves high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across a changed scope (S:C), resulting in a CVSS v3.1 base score of 9.9.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-3-2-arbitrary-code-execution-vulnerability?_s_id=cve characterizes this as an arbitrary code execution vulnerability in the Simply Gallery plugin up to version 3.3.2.
Details
- CWE(s)