============================================= PRESTIGIA SEGURIDAD ALERT 2019-001 - Original release date: July 31, 2019 - Last revised: November 13, 2019 - Discovered by: Prestigia Seguridad - Severity: 7,5/10 (CVSS Base Score) - CVE-ID: CVE-2019-14467 ============================================= I. VULNERABILITY ------------------------- WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution II. BACKGROUND ------------------------- Social Gallery is the ultimate lightbox plugin for WordPress. Your images deserve to be experienced and shared, to spark a response as they travel the social web, and to work for you by generating more fans and more Likes for your content. III. DESCRIPTION ------------------------- The version of WordPress Plugin Social Photo Gallery is affected by a Remote Code Execution vulnerability. The application does not check the extension when a imagen of a album is uploaded, resulting in a execution of php code. To exploit the vulnerability only is needed create a album in the application and attach a malicious php file in the cover photo album. IV. PROOF OF CONCEPT ------------------------- 1. Create a .php archive (cmd.php): 2. Click Add Album, select the name, for example "demo" and in the "Cover Photo" select the cmd.php file. 3. Load the next URL and magic: http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls V. BUSINESS IMPACT ------------------------- Execute local commands in the server result from these attacks. VI. SYSTEMS AFFECTED ------------------------- WordPress Plugin Social Photo Gallery 1.0 VII. SOLUTION ------------------------- The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG VIII. REFERENCES ------------------------- https://wordpress.org/plugins/social-photo-gallery/ IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Prestigia Seguridad Email: info@prestigiaonline.com X. REVISION HISTORY ------------------------- July 31, 2019 1: Initial release November 13, 2019 2: Revision to send to lists XI. DISCLOSURE TIMELINE ------------------------- July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad July 31, 2019 2: Email to vendor without response August 15, 2019 3: Second email to vendor without response November 13, 2019 4: Send to the Full-Disclosure lists XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. XIII. ABOUT ------------------------- Prestigia Seguridad https://seguridad.prestigia.es/