PT-2017-7556 · Photocrati · Photocrati Nextgen Gallery

Sathish

Published

2017-09-12

Updated

2020-10-29

CVE-2015-9228

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Photocrati NextGEN Gallery plugin version 2.1.10

Description The issue concerns unrestricted file upload in the Photocrati NextGEN Gallery plugin for WordPress. This is achieved by modifying the file extension, for example, from .jpg to .php, using the name parameter in post-new.php.

Recommendations For version 2.1.10, consider restricting file uploads to only allowed extensions to prevent potential exploitation. As a temporary workaround, restrict access to the post-new.php file until a patch is available. Avoid using the name parameter in the affected endpoint until the issue is resolved.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2015-9228

Affected Products

Photocrati Nextgen Gallery

PT-2017-7556 · Photocrati · Photocrati Nextgen Gallery

CVE-2015-9228

Weakness Enumeration

Related Identifiers

Affected Products

References · 8