CVE-2024-4551

Name of the Vulnerable Software and Affected Versions: The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress versions up to, and including, 1.3.13

Description: The issue allows authenticated attackers with contributor access or higher to include and execute arbitrary PHP files on the server via the display function. This enables the execution of any PHP code in those files, potentially bypassing access controls, obtaining sensitive data, or achieving code execution, especially in scenarios where images and other "safe" file types can be uploaded and included.

Recommendations: For versions up to, and including, 1.3.13, update to a version higher than 1.3.13 to resolve the issue. As a temporary workaround, consider restricting access to the display function to minimize the risk of exploitation. Additionally, restrict the ability to upload and include PHP files to prevent code execution.