Untrusted Input Vulnerability in Photo Video Gallery Master Plugin Allows PHP Object Injection and File Delete
CVE-2024-5724

8.8HIGH

Key Information:

Vendor: Webhuntinfotech
Status: Photo Video Gallery Master
Vendor: CVE Published:; 19 June 2024

Summary

The Photo Video Gallery Master plugin for WordPress is susceptible to a PHP Object Injection vulnerability that affects all versions up to and including 1.5.3. This vulnerability arises from the deserialization of untrusted input in the 'PVGM_all_photos_details' parameter, allowing authenticated users with Contributor-level access or higher to inject PHP objects. While there is no known PHP Object Propagation (POP) chain present in the vulnerable software itself, an existing POP chain through additional plugins or themes can lead to severe repercussions. Attackers may exploit this vulnerability to delete arbitrary files, compromise sensitive information, or execute malicious code, significantly impacting the integrity and confidentiality of the affected WordPress installation.

Affected Version(s)

Photo Video Gallery Master * <= 1.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/photo-video-ga...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 19, 2024
Vulnerability Reserved
Jun 7, 2024

Collectors

NVD DatabaseMitre Database

Credit

Francesco Carlucci