Unrated severityNVD Advisory· Published Oct 18, 2025· Updated Apr 8, 2026

Flickr Gallery <= 1.5.2 - Unauthenticated PHP Object Injection

CVE-2017-20207

Description

The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the pager parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors.

Affected products

WordPress/Responsive Flickr Galleryllm-fuzzy
Range: <=1.5.2
Package: https://wordpress.org/plugins/responsive-flickr-gallery
Dan Coulter/Flickr Galleryv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changeset/1737576/flickr-gallerymitre
www.wordfence.com/blog/2017/10/3-zero-day-plugin-vulnerabilities-exploited-wild/mitre
www.wordfence.com/threat-intel/vulnerabilities/id/b52ae51d-7b9a-4047-82bf-723ea87d2375mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000