CVE-2023-3279: 
WordPress vulnerability analysis and mitigation

The WordPress Gallery Plugin (NextGEN Gallery) before version 3.39 contains a Local File Inclusion (LFI) vulnerability identified as CVE-2023-3279. The vulnerability was discovered by Alex Sanford and publicly disclosed on September 25, 2023. The issue affects the plugin's block attributes validation mechanism, which could allow authenticated users with administrative privileges to perform LFI attacks (WPScan).

The vulnerability stems from improper validation of block attributes before they are used to generate paths passed to include functions. The CVSS v3.1 base score is 4.9 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-22 and falls under the OWASP Top 10 category A1: Injection (NVD, WPScan).

When exploited, this vulnerability allows authenticated administrators to perform Local File Inclusion attacks, potentially accessing sensitive files on the server. The attack can lead to unauthorized access to system files, such as /etc/passwd, exposing critical system information (WPScan).

The vulnerability has been patched in version 3.39 of the NextGEN Gallery plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).