Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-3097Missing Authorization in Nextgen Gallery

CWE-862Missing Authorization4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
22.1%
top 4.20%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Imagely Nextgen Gallery
Timeline
PublishedApr 9

Description

The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_item function in versions up to, and including, 3.59. This makes it possible for unauthenticated attackers to extract sensitive data including EXIF and other metadata of any image uploaded through the plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
WordPress Gallery Plugin – NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure2024-04-09
GHSA
GHSA-w249-f84q-3v47: The WordPress Gallery Plugin – NextGEN Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on2024-04-09

💥Exploits & PoCs

1
Nuclei
NextGEN Gallery <= 3.59 - Missing Authorization to Unauthenticated Information Disclosure
CVE-2024-3097 — Missing Authorization | cvebase