Multiple vulnerabilities in Photo Gallery – Image Gallery by Ape plugin for WordPress



Published: 2022-11-25
Risk Medium
Patch available NO
Number of vulnerabilities 2
CVE-ID CVE-2022-41995
CVE-2022-41785
CWE-ID CWE-284
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Photo Gallery – Image Gallery by Ape
Web applications / Modules and components for CMS

Vendor galleryape

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU69612

Risk: Medium

CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-41995

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Photo Gallery – Image Gallery by Ape: 2.2.1 - 2.2.8

External links

http://patchstack.com/database/vulnerability/gallery-images-ape/wordpress-gallery-images-ape-plugin-2-2-8-auth-broken-access-control-vulnerability


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU69613

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2022-41785

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Photo Gallery – Image Gallery by Ape: 2.2.1 - 2.2.8

External links

http://patchstack.com/database/vulnerability/gallery-images-ape/wordpress-gallery-images-ape-plugin-2-2-8-auth-cross-site-scripting-xss-vulnerability


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###