CVE-2024-1896

Name of the Vulnerable Software and Affected Versions The Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress versions up to, and including, 1.4.1

Description The issue allows authenticated attackers with contributor access and above to inject a PHP Object via deserialization of untrusted input from the awl lg settings attribute in a shortcode. This could potentially lead to the deletion of arbitrary files, retrieval of sensitive data, or execution of code if a POP chain is present, either from an additional plugin or theme installed on the target system.

Recommendations For versions up to, and including, 1.4.1, update to a version that fixes the PHP Object Injection issue. As a temporary workaround, consider restricting access to the shortcode that deserializes input from the awl lg settings attribute to minimize the risk of exploitation.