Attack Vectors
High severity vulnerability (CVSS 7.5) has been identified in the WordPress plugin Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery (slug: new-image-gallery) affecting versions up to and including 1.6.0 (CVE: CVE-2026-22345).
The issue is an authenticated (Contributor+) attack path, meaning an attacker typically needs access to a WordPress account with contributor-level permissions (or higher). This can happen through compromised credentials, password reuse, phishing, or an insider threat scenario.
The vulnerability is triggered by the plugin’s handling of untrusted input that gets processed in a way that allows injection of a PHP object. While this is not a “drive-by” public exploit scenario, it is a meaningful risk for organizations with multiple authors, contractors, agencies, or distributed teams who regularly log into WordPress.
Security Weakness
This vulnerability is categorized as PHP Object Injection caused by deserialization of untrusted input in affected versions of the plugin. In business terms, the plugin can be coerced into processing attacker-supplied data in a way it was not designed to handle.
Importantly, the published details state there is no known POP chain in the vulnerable software itself. However, if a suitable chain exists through another installed plugin or theme, the risk can escalate significantly. This is why issues like this can be more dangerous in real-world WordPress environments where many plugins/themes coexist.
Technical or Business Impacts
If your WordPress environment includes an additional plugin or theme that provides a usable exploitation chain, an attacker with Contributor+ access may be able to retrieve sensitive data, delete arbitrary files, or potentially execute code. Any of these outcomes can translate directly into operational disruption and reputational harm.
For marketing leadership and executives, the practical risk includes website downtime during campaigns, defacement or unauthorized content changes, and the possibility of data exposure (for example, internal content, customer information stored in the CMS, or integration secrets depending on your setup). These can trigger brand damage, lost revenue, incident response costs, and compliance reporting obligations.
Recommended action: update Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery to version 1.6.1 or newer as the vendor-provided remediation. Source: Wordfence vulnerability record.
Similar Attacks
Authenticated plugin vulnerabilities are commonly abused after attackers gain access to a legitimate WordPress user account. For context, here are a few real, widely reported WordPress plugin incidents showing how plugin flaws can be leveraged to compromise business websites:
Elementor Pro: critical vulnerability patched (Wordfence)
WooCommerce Payments: vulnerability disclosure and impact (Wordfence)
Slider Revolution: historical vulnerability write-up (Wordfence)
Recent Comments