Vulnerability Description
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dancoulter | Flickr Gallery | <= 1.5.2 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/1737576/flickr-galleryPatch
- https://www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploitPress/Media CoverageThird Party Advisory
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b52ae51d-7b9a-4047-82bThird Party Advisory
FAQ
What is CVE-2017-20207?
CVE-2017-20207 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows un...
How severe is CVE-2017-20207?
CVE-2017-20207 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-20207?
Check the references section above for vendor advisories and patch information. Affected products include: Dancoulter Flickr Gallery.