First published: Mon Aug 16 2021(Updated: )
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
10web Photo Gallery | <1.5.75 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-24363 is a vulnerability found in the Photo Gallery by 10Web plugin for WordPress, allowing high privilege users to upload files anywhere in the filesystem.
The severity of CVE-2021-24363 is rated as medium with a CVSS score of 4.9.
CVE-2021-24363 allows high privilege users to upload images/SVG anywhere in the filesystem using a path traversal vulnerability in the Photo Gallery plugin.
To fix CVE-2021-24363, update the Photo Gallery by 10Web plugin to version 1.5.75 or above.
CWE-22 refers to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, which is the type of vulnerability found in CVE-2021-24363.