CVE-2019-14798

Vulnerability

The 10Web Photo Gallery plugin for WordPress before version 1.5.25 contains an authenticated local file inclusion vulnerability. The flaw resides in the wp-admin/admin-ajax.php endpoint when handling the action=shortcode_bwg action. The tagtext parameter is not properly sanitized, allowing directory traversal sequences to be injected [1][2].

Exploitation

An attacker must have authenticated access to the WordPress admin panel. They can craft an AJAX request to admin-ajax.php with action=shortcode_bwg and a malicious tagtext parameter containing directory traversal sequences (e.g., ../../../../etc/passwd). No additional privileges beyond being an authenticated user are required [2].

Impact

Successful exploitation allows the attacker to read arbitrary files on the server, including sensitive system files and WordPress configuration files, potentially leading to further compromise or information disclosure [1].

Mitigation

The vulnerability is fixed in version 1.5.25 of the plugin, which was released prior to the CVE publication. Users should update to version 1.5.25 or later. As of the latest version 1.8.41, the fix remains effective [1][2].