FKIE_CVE-2024-0221

Vulnerability from fkie_nvd - Published: 2024-02-05 22:15 - Updated: 2024-11-21 08:46
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the server. This can lead to site takeovers if the wp-config.php file of a site can be renamed. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery management permissions to lower level users, which might make this exploitable by users as low as contributors.
References
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L291Issue Tracking
security@wordfence.comhttps://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L441Issue Tracking
security@wordfence.comhttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3022981%40photo-gallery%2Ftrunk&old=3013021%40photo-gallery%2Ftrunk&sfp_email=&sfph_mail=Patch
security@wordfence.comhttps://www.wordfence.com/threat-intel/vulnerabilities/id/3a3b8f32-f29d-4e67-8fad-202bfc8a9918?source=cvePatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L291Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L441Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3022981%40photo-gallery%2Ftrunk&old=3013021%40photo-gallery%2Ftrunk&sfp_email=&sfph_mail=Patch
af854a3a-2127-422b-91ae-364da2661108https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3b8f32-f29d-4e67-8fad-202bfc8a9918?source=cvePatch, Third Party Advisory
Impacted products
Vendor Product Version
10web photo_gallery *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:10web:photo_gallery:*:*:*:*:*:wordpress:*:*",
              "matchCriteriaId": "66A6F0D1-8EBF-4862-9BAF-DDCB55232FCE",
              "versionEndExcluding": "1.8.20",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the server. This can lead to site takeovers if the wp-config.php file of a site can be renamed. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery management permissions to lower level users, which might make this exploitable by users as low as contributors."
    },
    {
      "lang": "es",
      "value": "El complemento Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 1.8.19 incluida, a trav\u00e9s de la funci\u00f3n rename_item. Esto hace posible que atacantes autenticados cambien el nombre de archivos arbitrarios en el servidor. Esto puede provocar adquisiciones de sitios si se puede cambiar el nombre del archivo wp-config.php de un sitio. De forma predeterminada, esto s\u00f3lo puede ser aprovechado por los administradores. En la versi\u00f3n premium del complemento, los administradores pueden otorgar permisos de administraci\u00f3n de la galer\u00eda a usuarios de niveles inferiores, lo que podr\u00eda hacer que esto sea explotable por usuarios tan bajos como los contribuyentes."
    }
  ],
  "id": "CVE-2024-0221",
  "lastModified": "2024-11-21T08:46:05.567",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security@wordfence.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-05T22:15:59.297",
  "references": [
    {
      "source": "security@wordfence.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L291"
    },
    {
      "source": "security@wordfence.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L441"
    },
    {
      "source": "security@wordfence.com",
      "tags": [
        "Patch"
      ],
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3022981%40photo-gallery%2Ftrunk\u0026old=3013021%40photo-gallery%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "security@wordfence.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3b8f32-f29d-4e67-8fad-202bfc8a9918?source=cve"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L291"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L441"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3022981%40photo-gallery%2Ftrunk\u0026old=3013021%40photo-gallery%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3a3b8f32-f29d-4e67-8fad-202bfc8a9918?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.