CVE-2025-5482: 
WordPress vulnerability analysis and mitigation

The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to and including 3.4.11. This vulnerability was discovered and disclosed on June 4th, 2025. The vulnerability affects the password reset functionality of the plugin and allows authenticated attackers with Subscriber-level access or above to change arbitrary users' passwords, including administrators (NVD).

The vulnerability stems from improper validation of a user-supplied key in the password reset functionality. The issue is tracked as CWE-620 (Unverified Password Change) and has been assigned a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability exists in the plugin's account.php file where the password reset process fails to properly validate user permissions before allowing password changes (WordPress Plugin).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to change the passwords of any user account on the system, including administrator accounts. This can lead to complete account takeover and unauthorized access to administrative functions, potentially compromising the entire WordPress installation (NVD).

The vulnerability has been patched in version 3.4.12 of the Sunshine Photo Cart plugin. Site administrators are strongly advised to update to this version immediately. The fix includes proper validation of the password reset functionality to prevent unauthorized password changes (WordPress Plugin).