Smart Image Gallery < 1.0.19 - Update/Delete Google API Key via CSRF
Description
The Smart Image Gallery WordPress plugin before 1.0.19 lacks CSRF protection, allowing attackers to trick admins into changing settings via a forged request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Smart Image Gallery WordPress plugin before 1.0.19 lacks CSRF protection, allowing attackers to trick admins into changing settings via a forged request.
Vulnerability
The Smart Image Gallery WordPress plugin (slug: photoshow) versions before 1.0.19 is missing a Cross-Site Request Forgery (CSRF) check when updating its settings. An attacker can exploit this by crafting a malicious link that, when clicked by a logged-in administrator, silently modifies the plugin's Google API key or other configuration options. The vulnerability is classified as CWE-352 (CSRF) [1].
Exploitation
The attacker does not require any direct authentication; instead, they must trick a logged-in WordPress administrator into visiting a malicious page or clicking a crafted link. No special network position or user interaction beyond the admin clicking a link is needed. The attack triggers a cross-site request to the plugin's settings update endpoint, which the vulnerable code processes without validating a nonce token [1].
Impact
A successful CSRF attack allows the attacker to change the plugin's settings, such as replacing the Google API key with one controlled by the attacker. This could lead to unauthorized use of the Google API key or disruption of the plugin’s functionality. The attack targets the integrity of the plugin's configuration, but does not directly enable remote code execution or privilege escalation; the scope is limited to settings manipulation [1].
Mitigation
The vulnerability is fixed in version 1.0.19 of the Smart Image Gallery plugin. Users should update to the latest version immediately. No workaround is documented; the patch introduces CSRF nonce checks on the settings update action [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <1.0.19
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF (nonce) check on the plugin's settings-update action allows cross-site request forgery."
Attack vector
An attacker crafts a malicious page or link that, when visited by a logged-in administrator, silently submits a forged request to the plugin's settings endpoint. Because the plugin does not include a CSRF token or nonce check, the browser automatically attaches the admin's session cookie and the request is processed as if the admin intended it [CWE-352]. This allows the attacker to update or delete the plugin's Google API key without the admin's knowledge [ref_id=1].
Affected code
The Smart Image Gallery plugin (plugin slug: photoshow) lacks a CSRF check on its settings update handler. The advisory does not specify the exact file or function name, but the vulnerability is in the administrative settings-update logic of the plugin [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 1.0.19 of the Smart Image Gallery plugin [ref_id=1]. No patch diff is published, but the remediation is to add a CSRF nonce check (or equivalent anti-CSRF token) to the settings-update handler so that only intentionally submitted requests from the admin are accepted.
Preconditions
- authThe attacker must trick a logged-in WordPress administrator into visiting a crafted page or link.
- configThe target site must have the Smart Image Gallery plugin installed and active (version before 1.0.19).
- networkNo special network position is required; the attack can be delivered via email, forum post, or any medium that can host a link or HTML.
Reproduction
The advisory does not include a full proof-of-concept, but the attack is a standard CSRF: create an HTML page that auto-submits a form to the plugin's settings endpoint (e.g., `wp-admin/admin.php?page=photoshow-settings`) with attacker-changed parameters. When a logged-in admin visits the page, the settings are updated without their consent [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/9b11682d-4705-4595-943f-0fa093d0b644/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.