CVE-2024-0221 in Photo Gallery Plugininfo

Summary

by MITRE • 02/06/2024

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the server. This can lead to site takeovers if the wp-config.php file of a site can be renamed. By default this can be exploited by administrators only. In the premium version of the plugin, administrators can give gallery management permissions to lower level users, which might make this exploitable by users as low as contributors.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/11/2026

The Photo Gallery by 10Web plugin for WordPress presents a critical directory traversal vulnerability identified as CVE-2024-0221 affecting versions up to and including 1.8.19. This vulnerability resides within the rename_item function which improperly handles file path manipulation, allowing authenticated attackers to perform arbitrary file renaming operations on the target server. The flaw represents a classic directory traversal issue that falls under CWE-22, specifically involving improper limitation of a pathname to a restricted directory. The vulnerability's exploitation requires authentication, meaning attackers must first gain access to a valid user account within the WordPress environment. By default, this restriction limits the attack surface to administrators who possess sufficient privileges to manipulate gallery content, though the impact escalates significantly when considering the premium version's permission structure.

The operational impact of this vulnerability extends far beyond simple file renaming operations, creating potential pathways for complete site compromise. When an attacker successfully exploits this vulnerability, they can target critical system files including the wp-config.php configuration file, which contains database credentials and cryptographic keys essential for WordPress operation. The ability to rename this file effectively neutralizes the site's security posture, as it allows attackers to either disable security features or replace legitimate configuration with malicious alternatives. This particular attack vector aligns with ATT&CK technique T1078.004, which involves valid accounts with limited privileges being used to access systems, combined with T1486, which encompasses data manipulation through file system modifications. The vulnerability's potential for privilege escalation becomes more pronounced in premium versions where gallery management capabilities can be delegated to users with lower privilege levels such as contributors, expanding the attack surface significantly.

The exploitation mechanism relies on the plugin's insufficient input validation and path sanitization within the rename_item function, which fails to properly restrict file paths to the intended gallery directory. This allows attackers to manipulate file paths through directory traversal sequences, potentially accessing files outside the intended scope of the gallery functionality. The vulnerability's severity increases when considering that WordPress installations often store sensitive information in configuration files, and the wp-config.php file specifically contains database connection details, security salts, and other critical configuration parameters. Attackers who successfully rename this file can effectively gain control over the entire WordPress installation, potentially leading to data exfiltration, site defacement, or further lateral movement within compromised networks. The issue demonstrates the critical importance of proper input validation and privilege separation in web applications, particularly those handling user-uploaded content or administrative functions. Organizations should immediately implement patch management procedures to address this vulnerability, while also reviewing user permission assignments to minimize potential impact from compromised lower-level accounts.

Responsible

Wordfence

Reservation

01/03/2024

Disclosure

02/06/2024

Moderation

accepted

CPE

ready

EPSS

0.01312

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!