Photo Gallery by 10Web Vulnerability – Directory Traversal to Arbitrary File Rename – CVE-2024-0221 | WordPress Plugin Vulnerability Report

Plugin Name: Photo Gallery by 10Web

Key Information:

  • Software Type: Plugin
  • Software Slug: photo-gallery
  • Software Status: Active
  • Software Author: 10web
  • Software Downloads: 17,512,296
  • Active Installs: 200,000
  • Last Updated: January 19, 2024
  • Patched Versions: 1.8.20
  • Affected Versions: <= 1.8.19

Vulnerability Details:

  • Name: Photo Gallery by 10Web - Mobile-Friendly Image Gallery <= 1.8.19 - Directory Traversal to Arbitrary File Rename
  • Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CVE: CVE-2024-0221
  • CVSS Score: 9.1 (Critical)
  • Publicly Published: January 19, 2024
  • Researcher: Bence Szalai
  • Description: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the server. This can lead to site takeovers if the wp-config.php file of a site can be renamed. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery management permissions to lower level users, which might make this exploitable by users as low as contributors.

Summary:

The Photo Gallery by 10Web plugin for WordPress has a critical vulnerability in versions up to and including 1.8.19 that allows authenticated users to rename arbitrary files on the server via a directory traversal issue in the rename_item function. This has been patched in version 1.8.20.

Detailed Overview:

A vulnerability discovered by researcher Bence Szalai makes it possible for authenticated WordPress users to exploit a directory traversal issue and rename arbitrary files on the server where Photo Gallery by 10Web is installed. By renaming key files like wp-config.php, this could lead to complete site takeover. The vulnerability exists in the rename_item function. By default, only admins can exploit it but in the premium version, admins can assign gallery management permissions to contributors and up, making this exploitable by lower privilege users as well. The vulnerability has been given a CVSS score of 9.1 (Critical severity). Users are advised to update immediately to version 1.8.20 which contains the fix.

Advice for Users:

  1. Immediate Action: Update to version 1.8.20 or higher immediately.
  2. Check for Signs of Vulnerability: Review logs for unexpected activity and scan for malware. Revert any renamed files.
  3. Alternate Plugins: Consider alternate gallery plugins like Envira Gallery as a precaution.
  4. Stay Updated: Always keep plugins updated to avoid vulnerabilities.

Conclusion:

The quick response from 10Web to patch this critical vulnerability shows their commitment to security. Users should ensure they are running version 1.8.20 or higher as soon as possible to prevent compromise.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/photo-gallery/photo-gallery-by-10web-mobile-friendly-image-gallery-1819-directory-traversal-to-arbitrary-file-rename

Detailed Report:

Keeping your website secure should be a top priority – but with the array of plugins, themes and core software we use, it can be challenge to stay on top of every update. Unfortunately, that leaves the door open for vulnerabilities that can completely undermine your hard work building an online presence.

Case in point is a recently disclosed critical flaw in a very popular WordPress plugin, Photo Gallery by 10Web. Used on over 200,000 sites, this plugin powers image galleries and slideshows but has a nasty directory traversal vulnerability that could allow attackers to fully take over sites by simply renaming key files like wp-config.php.

About the Plugin

Photo Gallery by 10Web is a customizable, responsive gallery plugin used by over 200,000 WordPress sites. It has over 17 million total downloads and is actively maintained by developers 10Web.

The Vulnerability Explained

Researcher Bence Szalai recently discovered a path traversal vulnerability in Photo Gallery by 10Web, meaning attackers could exploit the plugin to access directories outside the image gallery and rename files arbitrarily on the server. This impacts all versions up to and including 1.8.19. By renaming key WordPress files like wp-config.php, attackers could easily take over sites.

This vulnerability, tracked as CVE-2024-0221, has a CVSS severity score of 9.1 out of 10, making it critical.

Impacts to Users

If exploited before sites update to the patched version, this vulnerability poses severe risks including:

  • Complete site takeover
  • Data theft or manipulation
  • SEO damage
  • Reputation harm

How to Update and Secure Your Site

  1. Update Photo Gallery by 10Web to version 1.8.20 immediately.
  2. Check your site for signs of compromise like unexpected admin accounts, code changes, etc.
  3. Consider switching gallery plugins - options like Envira Gallery avoid this vulnerability.
  4. Enable automated WordPress updates for plugins, themes and core.

A History of Vulnerabilities

This is unfortunately not the first vulnerability found in Photo Gallery. There have been 42 previous security issues reported since May 2014, illustrating the ongoing maintenance required by complex plugins.

The Importance of Updates

While detailing every vulnerability out there would require its own blog, the key takeaway is this: software has bugs. Hackers find them. Updates fix them. By using automated update systems and trusted plugins, you can eliminate the headaches and rest easy knowing your site is secure.

As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.

Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.

Photo Gallery by 10Web Vulnerability – Directory Traversal to Arbitrary File Rename – CVE-2024-0221 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment