Unauthorized Image Upload Vulnerability in MaxGalleria Plugin for WordPress
CVE-2024-3581

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Maxgalleria
Vendor: CVE Published:; 2 May 2024

What is CVE-2024-3581?

The MaxGalleria plugin for WordPress contains a vulnerability that allows authenticated users with subscriber access or higher to upload arbitrary images to a gallery. This issue arises from a missing capability check in the add_media_library_images_to_gallery function across all versions up to and including 6.4.2. Attackers could exploit this flaw to compromise gallery integrity by uploading unauthorized media, potentially leading to further security risks.

Affected Version(s)

MaxGalleria 0 <= 6.4.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/maxgalleria/tr...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 10, 2024

Credit

Lucio Sá

CVE-2024-3581 Data

JSON