CVE-2025-52721: 
WordPress vulnerability analysis and mitigation

A Missing Authorization vulnerability was identified in LCweb Global Gallery plugin versions up to 9.2.3. The vulnerability was discovered on August 7, 2025, and publicly disclosed on August 14, 2025. This security flaw allows for exploiting incorrectly configured access control security levels in the WordPress plugin (NVD, Patchstack).

The vulnerability is classified as a Broken Access Control issue (CWE-862) with a CVSS v3.1 base score of 6.5 (Medium). The vulnerability vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating that it can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction. The vulnerability affects confidentiality and integrity with low impact, while availability is not affected (NVD, Patchstack).

The vulnerability allows unprivileged users to execute certain higher privileged actions due to missing authorization, authentication, or nonce token checks. This could potentially lead to unauthorized access and modification of protected resources within the Global Gallery plugin (Patchstack).

The vulnerability has been fixed in version 9.2.4 of the Global Gallery plugin. Users are advised to update to version 9.2.4 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).