CVE-2024-5724
📋 TL;DR
The Photo Video Gallery Master WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the 'PVGM_all_photos_details' parameter. This allows authenticated attackers with Contributor-level access or higher to inject PHP objects. If a POP chain exists via other installed plugins or themes, this could lead to arbitrary file deletion, data theft, or code execution.
💻 Affected Systems
- Photo Video Gallery Master WordPress Plugin
📦 What is this software?
Photo Video Gallery Master by Webhuntinfotech
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if a suitable POP chain exists via other installed plugins/themes
Likely Case
Arbitrary file deletion or sensitive data exposure if a POP chain exists in the environment
If Mitigated
Limited impact with only authenticated Contributor+ users able to trigger deserialization without a POP chain
🎯 Exploit Status
Exploitation requires authenticated access and depends on availability of POP chains in the environment
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.5.3
Vendor Advisory: https://plugins.trac.wordpress.org/browser/photo-video-gallery-master
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Photo Video Gallery Master. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and delete plugin.
🔧 Temporary Workarounds
Remove Contributor Role Access
allRestrict plugin access to only Administrators and Editors
Input Validation Filter
allAdd WordPress filter to sanitize PVGM_all_photos_details parameter
Add to theme's functions.php: add_filter('sanitize_text_field', 'custom_pvgm_filter', 10, 2); function custom_pvgm_filter($filtered, $str) { if (strpos($str, 'PVGM_all_photos_details') !== false) { return wp_unslash(wp_slash($filtered)); } return $filtered; }
🧯 If You Can't Patch
- Deactivate and remove the Photo Video Gallery Master plugin immediately
- Implement strict access controls limiting plugin functionality to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Photo Video Gallery Master → Version. If version is 1.5.3 or lower, system is vulnerable.Check Version:
wp plugin list --name='photo-video-gallery-master' --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.5.3 after update📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests containing 'PVGM_all_photos_details' parameter
- PHP deserialization errors in WordPress debug logs
- Unexpected file deletion or modification events
Network Indicators:
- HTTP requests to WordPress admin-ajax.php or admin-post.php with serialized data in PVGM_all_photos_details parameter
SIEM Query:
source="wordpress.log" AND "PVGM_all_photos_details" AND ("unserialize" OR "O:" OR "C:")🔗 References
- https://plugins.trac.wordpress.org/browser/photo-video-gallery-master/trunk/photo-video-gallery-master.php#L301
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8376556e-ed78-4a0e-a23f-9b2a39db94d9?source=cve
- https://plugins.trac.wordpress.org/browser/photo-video-gallery-master/trunk/photo-video-gallery-master.php#L301
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8376556e-ed78-4a0e-a23f-9b2a39db94d9?source=cve
