Grand Flagallery - Photo Gallery Plugin 4.24, Full Path Disclosure
The default installation of ‘Grand Flagallery’ plugin for WordPress contains a file which, if invalid input is provided to it, results in a full path disclosure of the web root.
Update to version 4.25
Proof of Concept
If the following URL is visited (after plugin activation), a full path disclosure vulnerability occurs.
Similarly, if the plugin has been installed, but not net activated, the following URL will result in the same full path disclosure
- 2014-10-23: Discovered
- 2014-10-23: Vendor notified
- 2014-10-23: Vendor responded, version 4.25 released – issue resolved
- 2014-10-27: CVE requested
- 2014-10-27: CVE assigned
- 2014-10-30: Advisory released