CVE-2017-20207 in Flickr Gallery Plugin
Summary
by MITRE • 10/18/2025
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2025
The vulnerability identified as CVE-2017-20207 affects the Flickr Gallery plugin for WordPress, specifically targeting versions up to and including 1.5.2. This represents a critical security flaw that exposes the platform to unauthorized manipulation through a sophisticated attack vector involving PHP object injection. The vulnerability stems from improper input validation within the plugin's handling of user-supplied data, creating an avenue for malicious actors to exploit the system's object serialization mechanisms.
The technical flaw manifests through the deserialization of untrusted input originating from the `pager` parameter within the plugin's code execution flow. When the plugin processes this parameter without adequate sanitization or validation, it inadvertently executes PHP objects that have been crafted by attackers. This deserialization process occurs in a manner that allows attackers to inject malicious PHP objects, effectively bypassing normal security boundaries and gaining unauthorized access to the WordPress installation. The vulnerability operates under CWE-502, which specifically addresses deserialization of untrusted data as a means of executing arbitrary code.
The operational impact of this vulnerability is severe and far-reaching, as it enables unauthenticated attackers to achieve complete system compromise without requiring valid credentials or prior access. Attackers actively exploited this vulnerability by leveraging the WP_Theme() class to establish persistent backdoors within affected installations. This exploitation technique allows malicious actors to maintain long-term access to compromised systems, enabling them to perform various malicious activities including data exfiltration, system manipulation, and further network infiltration. The vulnerability's exploitation aligns with ATT&CK technique T1505.003, which involves the use of web shell deployment for maintaining access to compromised systems.
The attack vector demonstrates how a seemingly minor input parameter can serve as a gateway for sophisticated attacks, highlighting the critical importance of proper input validation and secure coding practices in web applications. The vulnerability's exploitation pattern indicates that attackers are actively targeting WordPress installations to establish persistent access points, making it particularly dangerous for organizations that rely on WordPress for their web presence. This particular flaw underscores the necessity of regular security updates and the implementation of robust input sanitization measures to prevent similar vulnerabilities from being exploited in the future. Organizations affected by this vulnerability should immediately update to patched versions of the plugin and conduct thorough security assessments of their WordPress installations to identify any potential compromise.