CVE-2017-20207
Published: 18 October 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2017-20207 is a PHP Object Injection vulnerability (CWE-502) in the Flickr Gallery plugin for WordPress, affecting versions up to and including 1.5.2. The issue arises from deserialization of untrusted input via the "pager" parameter, enabling attackers to inject arbitrary PHP objects. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By supplying malicious serialized data in the "pager" parameter, they can trigger object injection, which has been actively used in the wild with the WP_Theme() class to create backdoors on affected sites.
Advisories from Wordfence highlight this as one of three zero-day plugin vulnerabilities exploited in the wild in 2017, with a patch available in the WordPress plugin trac changeset 1737576 for Flickr Gallery. Security practitioners should ensure the plugin is updated beyond version 1.5.2 to mitigate the issue, and monitor Wordfence threat intelligence for related indicators.
This vulnerability saw active real-world exploitation shortly after disclosure, demonstrating the risks of unpatched WordPress plugins handling serialized data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin via PHP object injection (T1190), actively used to create backdoors consistent with web shells (T1100).