WordPress Plugin Vulnerabilities

Tinymce Thumbnail Gallery < 1.1.0 - download-image.php Local File Inclusion

Description

The Tinymce Thumbnail Gallery WordPress plugin was affected by a download-image.php Local File Inclusion security vulnerability.

Proof of Concept

Affects Plugins

Plugin icon
tinymce-thumbnail-gallery
Fixed in 1.1.0

References

Exploitdb
19022
URL
https://packetstormsecurity.com/files/#113417/
URL
https://plugins.trac.wordpress.org/changeset/556394/tinymce-thumbnail-gallery

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Verified
No
WPVDB ID
4a49b023-c1c9-4cc4-a2fd-af5f911bb400

Timeline

Publicly Published
2014-08-01 (about 11 years ago)
Added
2014-08-01 (about 11 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2014-10-06
Title
Trinity - Arbitrary File Download
Published
2025-12-11
Title
WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter
Published
2015-03-16
Title
MiwoFTP - File & Folder Manager <= 1.0.4 - Arbitrary File Disclosure
Published
2015-10-05
Title
Easy2Map < 1.3.0 - Local File Inclusion
Published
2025-10-14
Title
XStore | Multipurpose WooCommerce Theme < 9.6 - Authenticated (Subscriber+) Local File Inclusion