🔐 CVE Alert

CVE-2026-5347

MEDIUM 5.3

WP Books Gallery <= 4.8.0 - Missing Authorization to Unauthenticated Settings Update via 'permalink_structure' Parameter

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the books gallery, which changes the URL structure for all book entries and can break existing links and SEO rankings.

CWE CWE-862
Vendor mhmrajib
Product wp books gallery – build stunning book showcases & libraries in minutes
Published Apr 24, 2026
Stay Ahead of the Next One

Get instant alerts for mhmrajib wp books gallery – build stunning book showcases & libraries in minutes

Be the first to know when new medium vulnerabilities affecting mhmrajib wp books gallery – build stunning book showcases & libraries in minutes are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

mhmrajib / WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes
0 ≤ 4.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/12bf1cd8-cd55-4771-b2bb-597797b1b949?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-books-gallery/trunk/wp-books-gallery.php#L207 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-books-gallery/tags/4.7.8/wp-books-gallery.php#L207 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-books-gallery/trunk/wp-books-gallery.php#L206 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-books-gallery/tags/4.7.8/wp-books-gallery.php#L206 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/wp-books-gallery/tags/4.8.1/wp-books-gallery.php#L207

Credits

Abhirup Konwar