CVE-2021-24363 : Security Advisory and Response

A critical vulnerability has been identified in the Photo Gallery WordPress plugin, allowing high privilege users to manipulate file uploads using a path traversal vector.

Understanding CVE-2021-24363

This CVE affects the Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin versions prior to 1.5.75.

What is CVE-2021-24363?

The Photo Gallery plugin failed to restrict uploaded files within its designated folder, enabling malicious users to place images/SVG files anywhere in the file system through a path traversal exploit.

The Impact of CVE-2021-24363

This vulnerability can be exploited by attackers with elevated privileges to overwrite critical system files, leading to potential data loss, unauthorized access, and system compromise.

Technical Details of CVE-2021-24363

The following technical aspects are associated with CVE-2021-24363:

Vulnerability Description

The issue stems from the plugin's inability to control the location of uploaded files, resulting in a path traversal vulnerability.

Affected Systems and Versions

Photo Gallery plugin versions earlier than 1.5.75 are vulnerable to this exploit.

Exploitation Mechanism

Malicious users with high privileges can abuse the flawed upload process to navigate outside the designated folder and upload harmful files.

Mitigation and Prevention

To safeguard your system from CVE-2021-24363, follow these recommended security measures:

Immediate Steps to Take

Update the Photo Gallery plugin to version 1.5.75 or later.
Restrict user privileges to minimize the impact of potential attacks.

Long-Term Security Practices

Regularly monitor file uploads and user activities on your WordPress site.
Implement security plugins and firewalls to detect and block malicious file uploads.

Patching and Updates

Stay informed about security updates for the Photo Gallery plugin and promptly install them to mitigate the risk of exploitation.