CVE-2024-8436

Name of the Vulnerable Software and Affected Versions: The WP Easy Gallery – WordPress Gallery Plugin versions up to, and including, 4.8.5

Description: The issue allows authenticated attackers with subscriber-level access and above to perform SQL Injection via the edit imageId and edit imageDelete parameters due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This enables attackers to append additional SQL queries to existing ones, potentially extracting sensitive information from the database.

Recommendations: For versions up to, and including, 4.8.5, consider disabling the edit imageId and edit imageDelete parameters until a patch is available to prevent SQL Injection attacks. Restrict access to sensitive database information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.