cbcvebase.
CVE-2007-2426
published 2007-05-02

CVE-2007-2426: PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to…

PriorityP272high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
62.87%
99.1th percentile
PHP remote file inclusion vulnerability in myfunctions/mygallerybrowser.php in the myGallery 1.4b4 and earlier plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the myPath parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
wildbitsmygallery<= 1.4b4

Detection & IOCsextracted from sources · hover to see the quote

path/mygallery/myfunctions/mygallerybrowser.php
  • The RFI payload is delivered via the 'myPath' parameter in both GET and POST requests to mygallerybrowser.php; alert on requests where this parameter contains an external URL (http:// or ftp://).
  • ·Vulnerable only when PHP's 'allow_url_include' (and/or 'allow_url_fopen') is enabled, as the exploit relies on require_once() loading a remote URL supplied by the attacker.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.