User Post Gallery <= 2.19 - Unauthenticated RCE
Description
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=2.19
Patches
Vulnerability mechanics
Root cause
"The plugin does not limit what callback functions can be called by users, allowing arbitrary PHP function execution."
Attack vector
An unauthenticated attacker sends a crafted HTTP request to the WordPress site running the User Post Gallery plugin (wp-upg) through version 2.19. The plugin exposes a callback mechanism that fails to validate or restrict which PHP functions can be invoked. Because no authentication is required and no callback whitelist exists, any visitor can call arbitrary PHP functions, leading to remote code execution [CWE-94] [ref_id=1].
Affected code
The advisory does not specify exact file paths or function names within the plugin. The vulnerable component is the callback dispatch mechanism in the User Post Gallery (wp-upg) plugin through version 2.19 [ref_id=1].
What the fix does
No patch or fixed version has been published by the vendor as of the advisory's last update [ref_id=1]. The remediation guidance is to restrict the callback functions the plugin will accept — either by implementing a whitelist of allowed callbacks or by removing the unsafe callback dispatch entirely. Until a fix is released, users should disable or replace the plugin.
Preconditions
- configThe WordPress site must have the User Post Gallery plugin (wp-upg) version 2.19 or earlier installed and activated.
- authNo authentication is required; any visitor to the site can trigger the vulnerability.
- networkThe attacker must be able to send HTTP requests to the WordPress site.
- inputThe attacker must craft a request that specifies a callback function name to be executed.
Reproduction
The advisory does not include explicit reproduction steps beyond stating that any visitor can call arbitrary callback functions. The linked WPScan entry [ref_id=1] is the public reference but does not contain a step-by-step PoC in the extracted text.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/8f982ebd-6fc5-452d-8280-42e027d01b1emitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.