WordPress Plugin Vulnerabilities

Smart Image Gallery < 1.0.19 - Update/Delete Google API Key via CSRF

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
photoshow
Fixed in 1.0.19

References

CVE
CVE-2024-3632

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Bob Matyas
Submitter
Bob Matyas
Submitter website
https://www.bobmatyas.com
Submitter twitter
bobmatyas
Verified
Yes
WPVDB ID
9b11682d-4705-4595-943f-0fa093d0b644

Timeline

Publicly Published
2024-06-22 (about 1 year ago)
Added
2024-06-22 (about 1 year ago)
Last Updated
2024-06-22 (about 1 year ago)

Other

Published
Title
Published
2023-05-24
Title
JetFormBuilder < 3.0.7 - Cross-Site Request Forgery (CSRF)
Published
2024-04-10
Title
Inline Related Posts < 3.4.0 - Tracking Toggle via CSRF
Published
2022-05-17
Title
Hot Linked Image Cacher <= 1.16 - Image upload/cache abuse via CSRF
Published
2025-04-04
Title
WP w3all phpBB < 2.9.9 - Cross-Site Request Forgery
Published
2025-09-05
Title
Table of content <= 1.5.3.1 - Cross-Site Request Forgery