Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
Flickr Gallery WordPress Plugin PHP Object Injection Vulnerability
Vulnerability
A PHP Object Injection vulnerability has been identified in the Flickr Gallery plugin for WordPress, affecting versions through 1.5.2. The vulnerability arises from the deserialization of untrusted input in the 'pager' parameter, allowing unauthenticated attackers to inject PHP objects. Exploitation of this vulnerability has been observed in the wild, with attackers using the WP_Theme() class to create backdoors on the affected site.
Impact
Exploitation of this vulnerability allows for PHP Object Injection, which can be used to execute arbitrary code or create backdoors on the affected site.
Reproduction
To reproduce this vulnerability, send a POST request to the site's root URL with the 'pager' parameter containing a serialized PHP object. The injected object can be crafted to include a backdoor, such as a PHP file that is executed on the server.
Remediation
Users should update the Flickr Gallery plugin to version 1.5.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.