NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization

Vulnerability

The WordPress Gallery Plugin, specifically NextGEN Gallery versions before 3.39, is vulnerable to PHAR deserialization due to insufficient input parameter validation in the gallery_edit function [1]. This allows an attacker to trigger deserialization of a PHAR file, leading to access to arbitrary resources on the server. The vulnerability affects all versions prior to 3.39 [1].

Exploitation

An attacker must have Administrator-level (Admin+) privileges to access the gallery_edit function [1]. The attacker can craft a malicious PHAR file and upload it, or otherwise control a file path that is processed by the vulnerable function, leading to deserialization of the PHAR payload [1]. No public proof-of-concept has been disclosed by the source beyond the advisory [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server (information disclosure) and potentially execute arbitrary code via the deserialization gadget chain [1]. The attacker gains the ability to access sensitive server resources, escalating from Admin privileges to full server compromise [1].

Mitigation

The vulnerability is fixed in NextGEN Gallery version 3.39, released on 2023-09-25 [1]. Users must update to at least version 3.39 to eliminate the vulnerability. No workarounds are provided; updating the plugin is the recommended mitigation [1].