CVE-2024-11501: 
WordPress vulnerability analysis and mitigation

The Gallery plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2024-11501) affecting all versions up to and including 1.3. The vulnerability was discovered by Francesco Carlucci and disclosed in December 2024. The issue affects the WordPress Gallery plugin's handling of the wdgallery$id parameter (NVD).

The vulnerability stems from unsafe deserialization of untrusted input from the wdgallery$id parameter. This security flaw has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject PHP Objects. While no known POP (Property-Oriented Programming) chain is present in the vulnerable software itself, if a POP chain exists via additional plugins or themes installed on the target system, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code (NVD).

Users should update to a version newer than 1.3 when available. In the meantime, site administrators should carefully review and potentially restrict Contributor-level access to minimize the risk (NVD).