WordPress Plugin Vulnerabilities

Gallerio <= 1.01 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The Gallerio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.01. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
gallerio
No known fix

References

CVE
CVE-2024-52400
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/82c9e3be-a6b8-4d3a-8e1a-cc2e29bb95b6

Miscellaneous

Original Researcher
C_T_R_L
Verified
No
WPVDB ID
1011c1c5-3d81-439d-929a-7875d795f7cb

Timeline

Publicly Published
2024-11-13 (about 1 year ago)
Added
2024-11-21 (about 1 year ago)
Last Updated
2024-11-21 (about 1 year ago)

Other

Published
Title
Published
2024-12-06
Title
Import Export For WooCommerce <= 1.6.2 - Subscriber+ Arbitrary File Upload
Published
2014-08-01
Title
php-analytics - ofc_upload_image.php Arbitrary File Upload
Published
2025-10-10
Title
Ovatheme Events Manager < 1.8.6 - Unauthenticated Arbitrary File Upload
Published
2025-12-09
Title
Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload
Published
2014-08-01
Title
Premium Gallery Manager - Shell Upload