CVE-2024-52400
📋 TL;DR
CVE-2024-52400 is an unrestricted file upload vulnerability in the Gallerio WordPress plugin that allows attackers to upload malicious files, including web shells, to the server. This affects all WordPress sites running Gallerio versions up to 1.01. Successful exploitation gives attackers full control over the affected web server.
💻 Affected Systems
- WordPress Gallerio Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, lateral movement to internal networks, and persistent backdoor installation.
Likely Case
Web shell upload leading to website defacement, credential theft, data exfiltration, and use as a foothold for further attacks.
If Mitigated
Limited impact if file uploads are restricted via web application firewall or server-side controls, though vulnerability remains present.
🎯 Exploit Status
Simple HTTP POST request with malicious file upload. Public exploit code available on security research sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.02 or later
Vendor Advisory: https://patchstack.com/database/vulnerability/gallerio/wordpress-gallerio-plugin-1-01-arbitrary-file-upload-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Gallerio plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin immediately.
🔧 Temporary Workarounds
Disable Gallerio Plugin
allTemporarily disable the vulnerable plugin until patched version is available
wp plugin deactivate gallerio
Restrict File Uploads via .htaccess
linuxBlock execution of uploaded files in upload directories
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Allow,Deny
Deny from all
</FilesMatch>
🧯 If You Can't Patch
- Immediately disable or remove the Gallerio plugin from all WordPress installations
- Implement web application firewall rules to block file uploads to Gallerio endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Gallerio version. If version is 1.01 or earlier, system is vulnerable.Check Version:
wp plugin get gallerio --field=versionVerify Fix Applied:
Verify Gallerio plugin version is 1.02 or later, or confirm plugin is completely removed from plugins directory.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-content/plugins/gallerio/ upload endpoints
- Unusual file uploads with .php, .phtml, or other executable extensions
- Files being written to upload directories with suspicious names
Network Indicators:
- POST requests to Gallerio plugin endpoints with file uploads
- Subsequent connections to uploaded files from external IPs
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/gallerio/*" AND http_method="POST") AND (file_extension="php" OR file_extension="phtml" OR file_extension="jsp")