Unauthorized File Inclusion Vulnerability in YouTube Playlist and Channel Gallery Plugin for WordPress
CVE-2024-4258

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Video Gallery – Youtube Playlist, Channel Gallery By YotuWP
Vendor: CVE Published:; 15 June 2024

Summary

The Video Gallery – YouTube Playlist, Channel Gallery plugin by YotuWP for WordPress is susceptible to a Local File Inclusion vulnerability that impacts all versions up to and including 1.3.13. This vulnerability allows unauthenticated attackers to manipulate the settings parameter, enabling them to include and execute arbitrary files housed on the server. As a consequence, this flaw permits the execution of malicious PHP code within those files. The exploitation of this vulnerability can lead to unintended access to sensitive information or facilitate unauthorized code execution, particularly in scenarios where file uploads are not sufficiently restricted to safe file types.

Affected Version(s)

Video Gallery – YouTube Playlist, Channel Gallery by YotuWP * <= 1.3.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/yotuwp-easy-yo...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 15, 2024
Vulnerability Reserved
Apr 26, 2024

Credit

Lucio Sá

Friderika Baranyai