WordPress Plugin Vulnerabilities

WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 - Authenticated (Subscriber+) Arbitrary File Upload

Description

The Limb Gallery | Create Beautiful Image & Video Galleries plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the GRSUploadHandler class in all versions up to, and including, 1.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
limb-gallery
No known fix

References

CVE
CVE-2024-49260
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/121d5d4d-cf15-4c20-afb5-aa3375f2ef62

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
ba6627e8-9dae-4fb1-990d-167ed13c12cb

Timeline

Publicly Published
2024-10-14 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-10-18 (about 1 year ago)

Other

Published
Title
Published
2021-04-10
Title
Event Banner <= 1.3 - Arbitrary File Upload to RCE
Published
2024-09-09
Title
Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress < 6.5.6 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2024-10-17
Title
photokit <= 1.0 - Unauthenticated Arbitrary File Upload
Published
2025-11-25
Title
AI Feeds < 1.0.12 - Unauthenticated Arbitrary File Upload
Published
2024-06-22
Title
Wp EMember < 10.6.6 - Authenticated (Admin+) Arbitrary File Upload