CVE-2024-0825

Name of the Vulnerable Software and Affected Versions Vimeography: Vimeo Video Gallery WordPress Plugin versions up to, and including, 2.3.2

Description The issue allows authenticated attackers with contributor access or higher to inject a PHP Object via deserialization of untrusted input through the vimeography duplicate gallery serialized in the duplicate gallery function. If a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations For versions up to, and including, 2.3.2, consider disabling the duplicate gallery function until a patch is available to prevent exploitation. Restrict access to the vimeography duplicate gallery serialized variable to minimize the risk of PHP Object Injection. Avoid using the vimeography duplicate gallery serialized variable in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.