PHP Object Injection Vulnerability in Gallery Plugin by BestWebSoft for WordPress
CVE-2024-13906

7.2HIGH

Key Information:

Vendor

WordPress
Status
Gallery By Bestwebsoft – Customizable Image And Photo Galleries For WordPress
Vendor
CVE Published:
7 March 2025

What is CVE-2024-13906?

The Gallery plugin by BestWebSoft for WordPress is susceptible to PHP Object Injection through the ‘import_gallery_from_csv’ functionality. This vulnerability is present in all versions up to 4.7.3 and may allow authenticated attackers with Administrator-level access to inject a PHP object via the deserialization of untrusted input. While there is no known Property-Oriented Programming (POP) chain in the affected software itself, the vulnerability's risk escalates if an additional plugin or theme with a POP chain is installed. If such a chain is present, attackers may exploit it to perform unauthorized actions, including deleting files, accessing sensitive information, or executing arbitrary code.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress * <= 4.7.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/gallery-plugin...
https://plugins.trac.wordpress.org/changeset/3249573/

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hoang Phuc Vo
JSON
.