Vulnerability in Grid View Gallery Plugin Allows PHP Object Injection
CVE-2024-11409

7.2HIGH

Key Information:

Vendor: Wordpress
Status: Grid View Gallery
Vendor: CVE Published:; 21 November 2024

Summary

The Grid View Gallery plugin for WordPress is susceptible to PHP Object Injection, which allows authenticated users with Editor-level access and higher to exploit deserialization of untrusted input from the cs_all_photos_details parameter. This vulnerability can enable attackers to inject a PHP Object, posing significant risks if an exploit chain is available through additional plugins or themes. Such exploitation could result in unauthorized file deletions, retrieval of sensitive data, or execution of malicious code.

Affected Version(s)

Grid View Gallery * <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/grid-view-gall...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 21, 2024
Vulnerability Reserved
Nov 19, 2024

Credit

Francesco Carlucci