WordPress Plugin Vulnerabilities

WordPress Photo Gallery – Image Gallery <= 1.0.6 - Cross-Site Request Forgery

Description

The plugin does not protect the load_images_thumbnail and edit_gallery functions against CSRF attacks, allowing an unauthenticated attacker to edit galleries by tricking a logged in user to submit a crafted request.

Affects Plugins

Plugin icon
photo-contest
No known fix

References

CVE
CVE-2021-4384
URL
https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-5/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
1c3db7f2-e846-410b-92b5-c7b34bcc62b6

Timeline

Publicly Published
2021-07-16 (about 4 years ago)
Added
2023-07-04 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2022-05-11
Title
Database Backup for WordPress < 2.5.2 - Arbitrary Schedule Settings Update via CSRF
Published
2025-04-09
Title
Easy Custom CSS <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-12-27
Title
Thrive Automator < 1.17.1 - Cross-Site Request Forgery
Published
2023-04-19
Title
Gallery Metabox <= 1.5 - Gallery Removal via CSRF
Published
2025-07-22
Title
YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting