Unauthenticated Arbitrary Shortcode Execution Vulnerability in Album and Image Gallery plus Lightbox Plugin for WordPress
CVE-2024-4194

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Album And Image Gallery Plus Lightbox
Vendor: CVE Published:; 6 June 2024

Summary

The Album and Image Gallery plus Lightbox plugin for WordPress contains a vulnerability that enables arbitrary shortcode execution across all versions up to and including 2.0. This issue arises from the plugin's failure to correctly validate user inputs before executing specific actions through the do_shortcode function. Consequently, unauthenticated attackers may exploit this weakness to inject and execute arbitrary shortcodes, potentially leading to unauthorized access or manipulation of site content. Website owners utilizing this plugin should take immediate action to secure their installations.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/album-and-imag...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024