VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2017-20248

CVE-2017-20248

Description

Apptha Slider Gallery 1.0 is vulnerable to path traversal, allowing unauthenticated attackers to download arbitrary files via the imgname parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apptha Slider Gallery 1.0 is vulnerable to path traversal, allowing unauthenticated attackers to download arbitrary files via the `imgname` parameter.

Vulnerability

Apptha Slider Gallery version 1.0 contains a path traversal vulnerability. This vulnerability exists in the asgallDownload.php script and can be exploited by manipulating the imgname parameter to access files outside the intended directory [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted request to asgallDownload.php. By using directory traversal sequences such as ../ within the imgname parameter, an attacker can navigate the file system and download arbitrary files [1, 2]. For example, a request like http://localhost/[PLUGIN_PATH]/asgallDownload.php?imgname=../../../wp-load.php could be used [2].

Impact

Successful exploitation allows an unauthenticated attacker to download arbitrary files from the server. This could lead to the disclosure of sensitive information, depending on the files accessed [1].

Mitigation

Apptha Slider Gallery version 1.0 is affected. A fixed version is not explicitly mentioned in the available references, but the vendor is Apptha [1, 2]. It is recommended to update to a patched version once it becomes available or consider removing the plugin if a patch is not provided.

References
  1. WordPress Plugin Apptha Slider Gallery 1.0 Path Traversal File Download
  2. OffSec’s Exploit Database Archive

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.