CVE-2014-2558
Severity CVSS v4.0:
Pending analysis
Type:
CWE-94
Code Injection
Publication date:
06/05/2014
Last modified:
12/04/2025
Description
The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function.
Impact
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:skyphe:file-gallery:*:*:*:*:*:wordpress:*:* | 1.7.9 (including) | |
| cpe:2.3:a:skyphe:file-gallery:1.1:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.2:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.3:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.4:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5:a:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5:b:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5:b2:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5:b3:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5:rc1:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5.1:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5.2:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5.3:*:*:*:*:wordpress:*:* | ||
| cpe:2.3:a:skyphe:file-gallery:1.5.4:*:*:*:*:wordpress:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://seclists.org/fulldisclosure/2014/Apr/305
- http://wordpress.org/plugins/file-gallery/changelog/
- http://www.securityfocus.com/bid/67120
- http://www.securityfocus.com/bid/67183
- http://seclists.org/fulldisclosure/2014/Apr/305
- http://wordpress.org/plugins/file-gallery/changelog/
- http://www.securityfocus.com/bid/67120
- http://www.securityfocus.com/bid/67183