CVE-2024-5481 – The Photo Gallery by 10Web WordPress plugin has... (How to Fix)

Q: What is the severity of CVE-2024-5481?

CVE-2024-5481 has a CVSS score of 6.8 (MEDIUM). The Photo Gallery by 10Web WordPress plugin has a path traversal vulnerability in the esc_dir function that allows authenticated attackers to copy arbitrary files (potentially containing sensitive information) and delete arbitrary directories, including the WordPress root directory. By default, only administrators can exploit this, but in the premium version, gallery edit permissions can be granted to lower-level users like contributors, expanding the attack surface.

📋 TL;DR

The Photo Gallery by 10Web WordPress plugin has a path traversal vulnerability in the esc_dir function that allows authenticated attackers to copy arbitrary files (potentially containing sensitive information) and delete arbitrary directories, including the WordPress root directory. By default, only administrators can exploit this, but in the premium version, gallery edit permissions can be granted to lower-level users like contributors, expanding the attack surface.

💻 Affected Systems

Products:

Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin

Versions: All versions up to and including 1.8.23

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Premium version allows lower-level users (e.g., contributors) to be granted gallery edit permissions, potentially expanding exploitability beyond administrators.

📦 What is this software?

Photo Gallery by 10web

View all CVEs affecting Photo Gallery →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete website compromise via deletion of WordPress root directory, leading to site destruction and potential data loss, or exfiltration of sensitive files like wp-config.php containing database credentials.

🟠

Likely Case

Unauthorized access to sensitive files (configuration files, user data, backups) and potential directory deletion causing service disruption.

🟢

If Mitigated

Limited to administrators only with proper access controls, reducing risk to trusted users only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access (admin by default, but potentially contributors in premium). Path traversal via esc_dir function is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.24

Vendor Advisory: https://wordpress.org/plugins/photo-gallery/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Photo Gallery by 10Web' and click 'Update Now' if available. 4. Alternatively, download version 1.8.24+ from WordPress.org and manually update via FTP or file manager.

🔧 Temporary Workarounds

Disable or remove vulnerable plugin

all

Temporarily deactivate or delete the plugin until patched to eliminate the vulnerability.

wp plugin deactivate photo-gallery
wp plugin delete photo-gallery

Restrict user permissions

all

In premium version, ensure gallery edit permissions are not granted to low-level users like contributors.

🧯 If You Can't Patch

Immediately deactivate the plugin to prevent exploitation.
Implement strict access controls and monitor for suspicious file operations.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 1.8.23 or lower, it is vulnerable.

Check Version:

wp plugin get photo-gallery --field=version

Verify Fix Applied:

After update, confirm plugin version is 1.8.24 or higher in the same location.

📡 Detection & Monitoring

Log Indicators:

Unusual file copy or delete operations in WordPress or web server logs, especially involving path traversal patterns (e.g., '../').
Failed or successful attempts to access sensitive files like wp-config.php via plugin endpoints.

Network Indicators:

HTTP requests to plugin filemanager endpoints with suspicious path parameters.

SIEM Query:

source="web_logs" AND (uri_path="/wp-content/plugins/photo-gallery/filemanager/controller.php" AND (query_string="*../*" OR query_string="*..%2f*"))

📊 Metadata

CVE ID: CVE-2024-5481

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-22

Published: June 7, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5481, you might also want to check these: