CVE-2024-5481

CWE-35CWE-22Path Traversal3 documents3 sources
Severity
8.8HIGH
EPSS
1.6%
top 18.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
10web Photo Gallery10web Photo Gallery BY 10web – Mobile-friendly Image Gallery
Timeline
PublishedJun 7

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitrary files on the server, which can contain sensitive information, and to cut (delete) arbitrary directories, including the root WordPress directory. By default this can be exploited by administrators only. In the premium

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.6 | Impact: 5.2

Affected Packages2 packages

NVD10web/photo_gallery< 1.8.24

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Path Traversal via esc_dir Function2024-06-07
GHSA
GHSA-h438-86cm-g2q6: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including,2024-06-07
CVE-2024-5481 (HIGH CVSS 8.8) | The Photo Gallery by 10Web – Mobile | cvebase.io