CVE-2015-9380
Description
The photo-gallery plugin before 1.2.42 for WordPress has CSRF.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Photo Gallery by 10Web WordPress plugin before 1.2.42 allows attackers to perform unauthorized actions on behalf of logged-in admins.
Vulnerability
The CSRF vulnerability exists in the Photo Gallery plugin by 10Web (formerly Photo Gallery) for WordPress, affecting versions before 1.2.42. The plugin lacks proper nonce validation in critical administrative functions, allowing an attacker to trick a logged-in administrator into performing unintended actions such as modifying gallery settings or deleting images [1]. The vulnerability is present in the administrative interface of the plugin where sensitive operations are performed without cryptographic token validation.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious link or hosting a page that submits a forged request to the WordPress admin panel while the targeted administrator is authenticated. No special network position is required beyond the ability to deliver the crafted request (e.g., via email, social engineering, or embedding in a third-party site). The attack requires the victim to have administrator privileges on the WordPress instance and be logged in when the malicious request is executed. The sequence involves the attacker preparing a CSRF payload targeting the photo-gallery plugin's admin actions (e.g., admin-ajax.php or plugin-specific action handlers) and then luring the administrator to trigger it.
Impact
Successful exploitation allows the attacker to perform any action that the targeted administrator can perform within the Photo Gallery plugin, including but not limited to creating, modifying, or deleting galleries, images, and settings. The impact is primarily on data integrity and availability. No direct privilege escalation occurs, but the attacker can disrupt the website's gallery functionality, deface content, or steal sensitive configuration data (if such actions are accessible via the admin interface). The scope of compromise is limited to the plugin's functionalities; however, depending on the plugin's integrations (e.g., database access), the attacker could potentially affect other parts of the site.
Mitigation
The vulnerability is fixed in version 1.2.42 of the Photo Gallery plugin. Site administrators should immediately update to at least version 1.2.42. As of the publication date (2019-08-30), no workarounds were publicly documented beyond applying the patch. The plugin is actively maintained; subsequent versions (e.g., 1.8.41 as of the reference) include the fix [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the latest data.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/photo-gallerydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- wordpress.org/plugins/photo-gallery/mitrex_refsource_MISC
- wordpress.org/support/topic/this-plugin-is-reported-as-vulnerable/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/7225mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.