WordPress GRAND Flash Album Gallery Plugin Multiple Vulnerabilities Network Vulnerability

Summary

This host is installed with WordPress GRAND Flash Album Gallery Plugin and is prone to multiple vulnerabilities.

Impact

Successful exploitation could allow attackers to read arbitrary files via directory traversal attacks and gain sensitive information via SQL Injection attack. Impact Level: Application

Solution

Upgrade to version 1.76 or later, For updates refer to http://wordpress.org/extend/plugins/flash-album-gallery

Insight

The flaws are due to - input validation error in 'want2Read' parameter to 'wp-content/plugins/ flash-album-gallery/admin/news.php', which allows attackers to read arbitrary files via a ../(dot dot) sequences. - improper validation of user-supplied input via the 'pid' parameter to 'wp-content/plugins/flash-album-gallery/lib/hitcounter.php', which allows attackers to manipulate SQL queries by injecting arbitrary SQL code.

Affected

WordPress GRAND Flash Album Gallery Version 0.55.

References

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Take action and discover your vulnerabilities