Cross-Site Request Forgery Vulnerability in Image Gallery Plugin
CVE-2024-5343

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Photo Gallery, Images, Slider In Rbs Image Gallery
Vendor
CVE Published:
19 June 2024

Summary

The Rbs Image Gallery plugin for WordPress is affected by a vulnerability that enables Cross-Site Request Forgery (CSRF) attacks. This vulnerability stems from insufficient or incorrect nonce validation in the 'rbs_ajax_create_article' and 'rbs_ajax_reset_views' functions. Attackers can exploit this weakness to deceive users with Contributor+ privileges into executing unauthorized actions, such as creating new posts or resetting gallery view counts, simply by clicking on malicious links. This poses a significant risk to the integrity of user-generated content and could lead to unwanted changes in the gallery's settings.

Affected Version(s)

Photo Gallery, Images, Slider in Rbs Image Gallery * <= 3.2.19

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/robo-gallery/t...
https://plugins.trac.wordpress.org/browser/robo-gallery/t...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Stephanie Walters
.