Gallery Plugin for WordPress – Envira Photo Gallery – Missing Authorization to Gallery Modification via envira_gallery_insert_images – CVE-2023-6742 | WordPress Plugin Vulnerability Report 

Plugin Name: Gallery Plugin for WordPress – Envira Photo Gallery

Key Information:

• Software Type: Plugin
• Software Slug: envira-gallery-lite
• Software Status: Active
• Software Author: smub
• Software Downloads: 5,197,570
• Active Installs: 100,000
• Last Updated: January 8, 2024
• Patched Versions: 1.8.7.3
• Affected Versions: <= 1.8.7.2

Vulnerability Details:

• Name: Envira Gallery Lite <= 1.8.7.2
• Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
• CVE: CVE-2023-6742
• CVSS Score: 4.3
• Publicly Published: January 8, 2024
• Researcher: Nex Team
• Description: The Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This allows authenticated attackers, with contributor access or higher, to modify galleries on other users' posts.

Summary:

The Gallery Plugin for WordPress – Envira Photo Gallery has a vulnerability in versions up to and including 1.8.7.2 that allows unauthorized modification of gallery data by attackers with contributor access or higher. This vulnerability has been patched in version 1.8.7.3.

Detailed Overview: Discovered by Nex Team, this vulnerability resides in the 'envira_gallery_insert_images' function. The flaw allows attackers with contributor-level access to modify galleries on posts belonging to other users. This lack of proper authorization control presents a significant risk, as unauthorized gallery modifications could lead to misinformation or inappropriate content being displayed on websites. The remediation for this vulnerability has been addressed in the patch, version 1.8.7.3.

Advice for Users:

• Immediate Action: Users are encouraged to update to the patched version 1.8.7.3 immediately.
• Check for Signs of Vulnerability: Monitor your website for unauthorized changes in gallery content.
• Alternate Plugins: Consider using alternative plugins that offer similar functionality as a precaution.
• Stay Updated: Always keep your plugins updated to the latest versions to prevent vulnerabilities.

Conclusion:

The swift action by the developers of the Envira Photo Gallery plugin to release a patch highlights the critical nature of maintaining current software updates. Users are strongly advised to upgrade to version 1.8.7.3 or later to protect their WordPress sites from this vulnerability.

References:

• Wordfence Vulnerability Report
• Wordfence Vulnerability Report

Keeping Your WordPress Site Secure: A Critical Look at the Envira Photo Gallery Plugin Vulnerability

Introduction:

In today’s digital landscape, the security of your website is as crucial as its content. The recent security vulnerability found in the Envira Photo Gallery plugin for WordPress, identified as CVE-2023-6742, serves as a vital reminder of this truth. With the rising tide of cyber threats, an outdated or unpatched website can be the weak link that exposes your digital presence to risks. As a small business owner, understanding and addressing these vulnerabilities is key to safeguarding your online assets, especially when time is a scarce resource.

About the Envira Photo Gallery Plugin:

The Gallery Plugin for WordPress – Envira Photo Gallery is a popular tool used by over 100,000 websites. It allows users to create responsive and visually appealing photo galleries. Developed by smub, it has been a staple for many WordPress sites, boasting more than 5 million downloads. However, like any software, it's not immune to security vulnerabilities.

Details of the Vulnerability:

The recent issue, CVE-2023-6742, was a significant flaw in the plugin's security. It allowed unauthorized users with contributor-level access to modify gallery content without proper authorization. This vulnerability was present in all versions up to and including 1.8.7.2. Fortunately, it has been patched in version 1.8.7.3.

Risks and Potential Impacts:

This vulnerability posed a real threat to website integrity. Unauthorized gallery modifications could lead to misinformation, inappropriate content display, or more sinister actions like redirecting visitors to malicious sites. Such incidents could damage the reputation of a website and erode the trust of its visitors.

Remediation Steps:

To address this vulnerability, website owners should immediately update the Envira Photo Gallery plugin to the latest patched version, 1.8.7.3. Regular updates and monitoring are crucial in preventing such vulnerabilities from being exploited.

History of Previous Vulnerabilities:

Since February 25, 2020, the Envira Photo Gallery plugin has encountered three previous vulnerabilities. Each of these instances highlights the evolving nature of security threats and the need for continuous vigilance.

Conclusion:

For small business owners, staying on top of such security vulnerabilities is essential yet challenging, given the constraints of time and resources. It's important to adopt a proactive approach to website maintenance, which includes regular software updates, backups, and periodic security audits. Consider enlisting the help of security experts or managed service providers who can monitor and maintain your website's security, allowing you to focus on growing your business. Remember, in the digital world, the security of your website is as critical as its functionality and content. Stay informed, stay updated, and stay secure.