Cyber Resilience

CVE-2026-25345

Critical

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0045 35.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25345 is a critical-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25345 is an Improper Validation of Specified Quantity in Input vulnerability (CWE-1284) in the GalleryCreator SimpLy Gallery simply-gallery-block WordPress plugin. This issue affects all versions from n/a through 3.3.2 and enables accessing functionality not properly constrained by access control lists (ACLs).

A low-privileged remote attacker (PR:L), such as a WordPress subscriber, can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Exploitation achieves high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) across a changed scope (S:C), resulting in a CVSS v3.1 base score of 9.9.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/simply-gallery-block/vulnerability/wordpress-simply-gallery-plugin-3-3-2-arbitrary-code-execution-vulnerability?_s_id=cve characterizes this as an arbitrary code execution vulnerability in the Simply Gallery plugin up to version 3.3.2.

EU & UK References

Vulnerability details

Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The CVE describes a remote ACL bypass in a public-facing WordPress plugin that directly results in arbitrary code execution (RCE) from a low-privileged account. This maps to T1190 (exploiting the public-facing web app for initial access), T1068 (post-auth exploitation achieving scope change and full system control), and T1505.003 (common outcome of installing or executing a web shell for code execution and persistence).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-55398Shared CWE-1284
CVE-2026-3381Shared CWE-1284
CVE-2026-27384Shared CWE-1284
CVE-2026-44826Shared CWE-1284
CVE-2025-0286Shared CWE-1284
CVE-2024-55407Shared CWE-1284
CVE-2024-30516Shared CWE-1284
CVE-2025-0285Shared CWE-1284
CVE-2026-30573Shared CWE-1284
CVE-2026-1092Shared CWE-1284

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires patching the specific improper input validation vulnerability in the Simply Gallery plugin up to version 3.3.2, directly preventing exploitation leading to arbitrary code execution.

prevent

Information input validation enforces proper checking of specified quantity in inputs, directly countering CWE-1284 and blocking the vulnerability's exploitation in the WordPress plugin.

prevent

Access enforcement ensures functionality in the plugin is properly constrained by ACLs, preventing low-privileged attackers from accessing unauthorized capabilities resulting in high-impact RCE.

References