Users can bypass access controls in HM Books Gallery. This missing authorization flaw affects book management features. It puts your media library at risk. Update your plugin without delay.
CVE-2026-5347: What Is the Risk?
This vulnerability scores 5.3 on the CVSS scale. It allows authenticated users to access restricted features. Subscribers and contributors can perform admin-level actions. They can add or delete book entries. They might modify gallery settings. This breaks the WordPress roles system.
Vulnerability Description
CVE-2026-5347 affects the HM Books Gallery plugin. This plugin helps users create and manage book galleries. The plugin does not check user permissions for AJAX handlers. These handlers process book data. They do not verify the user role or capability.
Any logged-in user can exploit this flaw. They can add new books to galleries. They can edit or delete existing entries. They might upload media files. The plugin trusts the client to send the right permissions. This is not secure. Server-side checks are missing entirely.
Affected Versions
All versions of HM Books Gallery are vulnerable. The developer has released a security update. Check your current version. If it is not the latest patched release, upgrade now. Older versions have no protection.
How to Fix It
Update HM Books Gallery to the latest version. Open your WordPress admin panel. Go to Plugins and find HM Books Gallery. Click Update Now. The patch adds proper authorization checks. It uses current_user_can() to verify permissions. It secures all AJAX endpoints.
After updating, audit your book galleries. Remove any unauthorized content. Review user accounts with access. Use the principle of least privilege. Give users only the permissions they need. Keep a backup of your site before major updates.
What Is HM Books Gallery?
HM Books Gallery is a WordPress plugin for creating book catalogs and library listings. Authors, publishers, and bookstores use it to display book covers, descriptions, prices, and reviews. It stores book metadata and user-submitted content in the WordPress database.
Missing authorization in a content management plugin means users can access data they should not see.
CVE-2026-5347 Details
CVE-2026-5347 is a missing authorization vulnerability. The plugin exposes AJAX endpoints that modify book gallery entries. Authenticated users with minimal privileges can add, edit, and delete book entries without proper authorization checks.
An attacker with a subscriber account could delete your entire book catalog. Restoring it from backup takes time and may lose recent changes. They could also inject malicious descriptions with links to phishing sites.
Versions at Risk
All versions below 1.0.3 are vulnerable. Update to version 1.0.3 which adds proper user capability checks to all protected endpoints.
How to Protect Your Site
Update the plugin from your WordPress dashboard. After updating, check your book gallery for any unauthorized changes. Review recent user activity logs for suspicious account activity.
The HM Books Gallery plugin is available at https://codecanyon.net/item/books-gallery-wordpress-plugin/22759685.
HM Books Gallery is a WordPress plugin for creating book catalogs and library listings. Authors, publishers, and bookstores use it to display book covers, descriptions, prices, and reviews. It stores book metadata and user-submitted content in the WordPress database.
The plugin has a user-friendly interface for managing book entries and categories. Missing authorization in a content management plugin means users can access data they should not see.
CVE-2026-5347 is a missing authorization vulnerability. The plugin exposes AJAX endpoints that modify book gallery entries. Authenticated users with minimal privileges can add, edit, and delete book entries without proper authorization checks.
An attacker with a subscriber account could delete your entire book catalog. Restoring it from backup takes time and may lose recent changes. They could also inject malicious descriptions with links to phishing sites.
The HM Books Gallery plugin is available on CodeCanyon.