{"api_version":"1","generated_at":"2026-05-02T00:26:33+00:00","cve":"CVE-2019-25149","urls":{"html":"https://cve.report/CVE-2019-25149","api":"https://cve.report/api/cve/CVE-2019-25149.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-25149","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-25149"},"summary":{"title":"Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation","description":"The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-06-07 02:15:10","updated_at":"2026-04-08 19:17:32"},"problem_types":["CWE-285","NVD-CWE-Other","CWE-285 CWE-285 Improper Authorization"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.6","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","data":{"baseScore":7.6,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","version":"3.1"}}],"references":[{"url":"https://blog.nintechnet.com/wordpress-ape-gallery-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/","name":"https://blog.nintechnet.com/wordpress-ape-gallery-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"WordPress Ape Gallery plugin fixed authenticated arbitrary plugin deactivation vulnerability. – NinTechNet","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd6c2b8-b00c-49d1-930f-50397e742ac5?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd6c2b8-b00c-49d1-930f-50397e742ac5?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory"],"title":"Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-25149","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25149","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"galleryape","product":"Gallery Images Ape","version":"affected 2.0.7 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2019-12-30T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Jerome Bruandet","lang":"en"}],"nvd_cpes":[{"cve_year":"2019","cve_id":"25149","vulnerable":"1","versionEndIncluding":"2.0.6","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"robogallery","cpe5":"gallery_images_ape","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2019","cve_id":"25149","cve":"CVE-2019-25149","epss":"0.001140000","percentile":"0.300880000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:03"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T03:00:19.386Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd6c2b8-b00c-49d1-930f-50397e742ac5?source=cve"},{"tags":["x_transferred"],"url":"https://blog.nintechnet.com/wordpress-ape-gallery-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2019-25149","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-12-20T23:26:52.319107Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-12-20T23:49:51.806Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Gallery Images Ape","vendor":"galleryape","versions":[{"lessThan":"2.0.7","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Jerome Bruandet"}],"descriptions":[{"lang":"en","value":"The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security."}],"metrics":[{"cvssV3_1":{"baseScore":7.6,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-285","description":"CWE-285 Improper Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:28:33.797Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd6c2b8-b00c-49d1-930f-50397e742ac5?source=cve"},{"url":"https://blog.nintechnet.com/wordpress-ape-gallery-plugin-fixed-authenticated-arbitrary-plugin-deactivation-vulnerability/"}],"timeline":[{"lang":"en","time":"2019-12-30T00:00:00.000Z","value":"Disclosed"}],"title":"Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2019-25149","datePublished":"2023-06-07T01:51:47.456Z","dateReserved":"2023-06-06T13:23:36.874Z","dateUpdated":"2026-04-08T17:28:33.797Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-06-07 02:15:10","lastModifiedDate":"2026-04-08 19:17:32","problem_types":["CWE-285","NVD-CWE-Other","CWE-285 CWE-285 Improper Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:robogallery:gallery_images_ape:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"2.0.6","matchCriteriaId":"CAB6EC6B-F83D-4AEC-819C-D64DB721B4D6"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"25149","Ordinal":"1","Title":"Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation","CVE":"CVE-2019-25149","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"25149","Ordinal":"1","NoteData":"The Gallery Images Ape plugin for WordPress is vulnerable to Arbitrary Plugin Deactivation in versions up to, and including, 2.0.6. This allows authenticated attackers with any capability level to deactivate any plugin on the site, including plugins necessary to site functionality or security.","Type":"Description","Title":"Gallery Images Ape <= 2.0.6 - Authenticated Plugin Deactivation"}]}}}