WordPress Plugin Vulnerabilities

Gallery From Files <= 1.6.0 - Unauthenticated RCE

Description

The upload feature of the plugin does not properly check for the allowed extensions, allowing them to be set in the request and attempting to remove the dangerous ones (such as .php and .js), but forgetting about .php4, .html etc. As a result, unauthenticated users could upload arbitrary .php4 files on the web server and gain RCE

Proof of Concept

Affects Plugins

Plugin icon
gallery-from-files
No known fix

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
426cf3b5-1bb7-4e81-b240-f3c962590721

Timeline

Publicly Published
2021-05-26 (about 4 years ago)
Added
2021-05-26 (about 4 years ago)
Last Updated
2021-05-26 (about 4 years ago)

Other

Published
Title
Published
2025-10-31
Title
Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution
Published
2023-12-15
Title
Duplicator < 1.3.0 - Unauthenticated RCE
Published
2025-07-21
Title
Nginx Cache Purge Preload < 2.1.3 - Authenticated (Administrator+) Remote Code Execution
Published
2023-11-13
Title
Filr – Secure document library < 1.2.3.6 - Author+ RCE via file upload with phar ext
Published
2024-03-13
Title
WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution