CVE-2024-13906
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13906 is a PHP Object Injection vulnerability (CWE-502) affecting the Gallery by BestWebSoft WordPress plugin in all versions up to and including 4.7.3. The issue arises from deserialization of untrusted input in the 'import_gallery_from_csv' function, enabling authenticated attackers with Administrator-level access or higher to inject a PHP Object. The CVSS v3.1 base score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).
Attackers must have Administrator privileges on the target WordPress site to exploit this via the CSV import feature. While the vulnerability allows object injection, no known Property-Oriented Programming (POP) chain exists within the plugin itself, rendering it ineffective in isolation. Impact depends on the presence of a POP chain from another installed plugin or theme, potentially enabling arbitrary file deletion, sensitive data retrieval, or code execution based on the chain's capabilities.
Advisories from Wordfence detail the vulnerability and reference a patch in WordPress plugin changeset 3249573, which addresses the deserialization issue. The vulnerable code is visible in the plugin source at line 292 of gallery-plugin.php in version 4.7.3. Security practitioners should update to a patched version of the plugin via the WordPress repository to mitigate the risk.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a deserialization vulnerability in a public-facing WordPress plugin that can be directly exploited via the web application interface (CSV import function) by an authenticated admin to achieve object injection and potential code execution or data impacts.