NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization
CVE-2023-3154

7.5HIGH

Key Information:

Vendor: Wordpress
Status: WordPress Gallery Plugin
Vendor: CVE Published:; 16 October 2023

Summary

The WordPress Gallery Plugin prior to version 3.39 contains a vulnerability in the gallery_edit function that stems from insufficient validation of input parameters. This weakness enables an attacker to exploit PHAR deserialization, potentially gaining access to arbitrary resources on the server. Proper input sanitization is essential to mitigate the risks associated with this vulnerability.

Affected Version(s)

WordPress Gallery Plugin 0 < 3.39

References

https://wpscan.com/vulnerability/ed099489-1db4-4b42-9f72-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2023
Vulnerability Reserved
Jun 7, 2023

Credit

Linwz from DEVCORE

WPScan