CVE-2024-11409

Name of the Vulnerable Software and Affected Versions The Grid View Gallery plugin for WordPress versions up to, and including, 1.0

Description The issue allows authenticated attackers with Editor-level access and above to inject a PHP Object via deserialization of untrusted input from the cs all photos details parameter. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present, possibly introduced by an additional plugin or theme.

Recommendations For The Grid View Gallery plugin for WordPress versions up to, and including, 1.0, consider disabling the deserialization of input from the cs all photos details parameter until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.