Arbitrary Code Execution in File Gallery Plugin for WordPress
CVE-2014-2558

Currently unrated

Key Information:

Vendor: Wordpress
Status: File-gallery
Vendor: CVE Published:; 6 May 2014

Summary

The File Gallery plugin for WordPress, prior to version 1.7.9.2, is susceptible to an arbitrary code execution vulnerability due to improper string escaping. This flaw allows remote administrators to inject and execute arbitrary PHP code through carefully crafted input in the settings fields accessed via /wp-admin/options-media.php. The vulnerability is linked to the create_function function, which can be exploited by attackers with administrative privileges, potentially leading to severe security implications for the affected WordPress installations.

References

http://wordpress.org/plugins/file-gallery/changelog/

x_refsource_MISC

http://www.securityfocus.com/bid/67120

vdb-entryx_refsource_BID

http://seclists.org/fulldisclosure/2014/Apr/305

mailing-listx_refsource_FULLDISC

Timeline

Vulnerability published
May 6, 2014
Vulnerability Reserved
Mar 19, 2014