CVE-2024-52400: 
WordPress vulnerability analysis and mitigation

The Gallerio WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability, identified as CVE-2024-52400. This vulnerability affects all versions of Gallerio up to and including version 1.01. The vulnerability was discovered by researcher C_T_R_L and was publicly disclosed on November 13, 2024 (WPScan, Patchstack).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and has received a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue stems from missing file type validation in the plugin's file upload functionality, which affects authenticated users with Subscriber-level access and above (Patchstack).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the affected site's server. This capability could potentially lead to remote code execution, giving attackers significant control over the compromised system (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures or consider using Patchstack's protection (Patchstack).