NextGEN Gallery < 3.39 – Admin+ Local File Inclusion | CVE 2023-3279 | Plugin Vulnerabilities

Description

The plugin does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks

Proof of Concept

1. Create a gallery and upload an image.
2. Add the NextGEN Gallery block to a page and click Edit. Select the Gallery created in the previous step.
3. In "Customize Display Settings", using the developer tools, set the value of the "Select View" field to "default/../../../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
4. Save and load the page to view the contents of `/etc/passwd`.

Affects Plugins

nextgen-gallery

Fixed in 3.39

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

3b7a7070-8d61-4ff8-b003-b4ff06221635

Timeline

Publicly Published

2023-09-25 (about 2 years ago)

Added

2023-09-25 (about 2 years ago)

Last Updated

2023-09-25 (about 2 years ago)

Other

Published

Title

Published

2023-11-06

Title

WPB Show Core <= 2.2 - Unauthenticated Local File Inclusion

Published

2015-06-10

Title

RobotCPA Plugin V5 - Unauthenticated Local File Inclusion

Published

2021-06-09

Title

Motor theme < 3.1.0 - Unauthenticated Local File Inclusion

Published

2025-04-03

Title

Countdown, Coming Soon, Maintenance – Countdown & Clock < 2.9.0 - Unauthenticated Limited Local File Inclusion

Published

2025-02-03

Title

Paid Videochat Turnkey Site – HTML5 PPV Live Webcams < 7.3.1 - Unauthenticated Arbitrary File Deletion