CVE-2021-24363: 
WordPress vulnerability analysis and mitigation

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before version 1.5.75 contains a path traversal vulnerability identified as CVE-2021-24363. The vulnerability was discovered by researcher avolume and was publicly disclosed on July 18, 2021. This security issue affects the file upload functionality of the plugin, which failed to properly restrict file uploads to its designated uploads folder (WPScan).

The vulnerability is classified as a path traversal issue (CWE-22) that allows high-privilege users to upload images/SVG files to arbitrary locations in the filesystem. The vulnerability has received a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and high privileges required (NVD).

The vulnerability allows authenticated users with high privileges to upload files, including SVG files, to arbitrary locations in the filesystem instead of the intended /wp-content/uploads/photo-gallery/ directory. This could potentially lead to security issues if malicious files are uploaded to sensitive locations (WPScan).

The vulnerability has been fixed in version 1.5.75 of the Photo Gallery by 10Web plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).