CVE-2019-14798

Name of the Vulnerable Software and Affected Versions 10Web Photo Gallery plugin versions prior to 1.5.25

Description The issue concerns an Authenticated Local File Inclusion vulnerability via directory traversal. This is specifically related to the tagtext parameter in the "wp-admin/admin-ajax.php?action=shortcode bwg" API endpoint.

Recommendations For versions prior to 1.5.25, update to version 1.5.25 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp-admin/admin-ajax.php?action=shortcode bwg endpoint or avoiding the use of the tagtext parameter until the update is applied.