CVE-2024-13906: 
WordPress vulnerability analysis and mitigation

The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin is affected by a PHP Object Injection vulnerability in versions up to and including 4.7.3. The vulnerability was discovered and reported on March 7, 2025, and has been assigned CVE-2024-13906. The issue affects the plugin's 'import_gallery_from_csv' function (NVD).

The vulnerability stems from the improper handling of deserialization of untrusted input in the 'import_gallery_from_csv' function. It has been assigned a CVSS v3.1 base score of 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data) (NVD, Wordfence).

The vulnerability's impact is contingent on the presence of a POP (Property-Oriented Programming) chain in other installed plugins or themes. If such a chain exists, authenticated attackers with Administrator-level access could potentially delete arbitrary files, retrieve sensitive data, or execute code on the affected system (NVD).

The vulnerability has been identified in versions up to and including 4.7.3. Users should monitor for updates from the plugin developer and apply them when available. As this is a recently disclosed vulnerability, specific patch information is pending (NVD).