CVE-2015-9538
published 2019-11-26CVE-2015-9538: The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection.
PriorityP350medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
10.12%
95.1th percentile
The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Directory Traversal in path selection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| imagely | nextgen_gallery | < 2.1.15 | 2.1.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets WordPress Plugin 'NextGEN Gallery' versions up to and including 2.1.7 (before 2.1.15) via authenticated directory traversal in path selection ↗
- →Look for directory traversal patterns (../) in HTTP requests targeting NextGEN Gallery path selection parameters in WordPress ↗
- ·Exploitation requires authentication — unauthenticated requests will not trigger the vulnerability ↗
- ·The traversal allows reading arbitrary directories (not just files) with web server process privileges — scope of exposure depends on server user permissions ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://cxsecurity.com/issue/WLB-2015080165https://cybersecurityworks.com/zerodays/cve-2015-9538-nextgen.htmlhttps://github.com/cybersecurityworks/Disclosed/issues/2https://packetstormsecurity.com/files/135114/WordPress-NextGEN-Gallery-2.1.15-Cross-Site-Scripting-Path-Traversal.htmlhttps://wordpress.org/plugins/nextgen-gallery/#developershttps://www.openwall.com/lists/oss-security/2015/08/28/4https://www.openwall.com/lists/oss-security/2015/09/01/7https://cxsecurity.com/issue/WLB-2015080165https://cybersecurityworks.com/zerodays/cve-2015-9538-nextgen.htmlhttps://github.com/cybersecurityworks/Disclosed/issues/2https://packetstormsecurity.com/files/135114/WordPress-NextGEN-Gallery-2.1.15-Cross-Site-Scripting-Path-Traversal.htmlhttps://wordpress.org/plugins/nextgen-gallery/#developershttps://www.openwall.com/lists/oss-security/2015/08/28/4https://www.openwall.com/lists/oss-security/2015/09/01/7
2019-11-26
Published