Unauthorized Access to Private Post Titles in Rbs Image GalleryPlugin
CVE-2024-8431

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Photo Gallery, Images, Slider In Rbs Image Gallery
Vendor: CVE Published:; 8 October 2024

Summary

The Rbs Image Gallery plugin for WordPress features a security flaw that enables unauthorized data access due to a lack of necessary capability checks within the ajaxGetGalleryJson() function. This vulnerability impacts all versions up to and including 3.2.21, allowing authenticated users with subscriber-level access or higher to exploit the weakness and retrieve private post titles, compromising data confidentiality and user privacy.

Affected Version(s)

Photo Gallery, Images, Slider in Rbs Image Gallery * <= 3.2.21

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/robo-gallery/t...

https://plugins.trac.wordpress.org/changeset/3162670/robo...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Sep 4, 2024

Credit

Trương Hữu Phúc (truonghuuphuc)