A path traversal vulnerability was identified on WordPress plugins NextGen gallery before 2.1.15. An attacker could take advantage of this flaw by crafting a filter name with Local File Inclusion (LFI) payload and traverse the file system to access files or directories that are outside of the restricted directory on the remote server.
ย
.png)
Figure 1: HTTP Request & Response for the vulnerable dir variable with ../../../../../../../../../../../xampp/htdocs/wordpress/ (Any traversal) payload
Note: Similarly, the user can fetch any details from any website hosted on the same server.
An attacker will abuse this vulnerability to view files that should otherwise not be accessible.
Download the latest updated version of the Nextgen plugin and apply the patch as per vendor advisory.
Feb 17, 2015:ย Reported to Vendor
Feb 18, 2015: Acknowledged by Vendor.
Aug 28, 2015: Publicly Released due to no response from Vendor
Nov 26, 2015: CVE Assigned
