Security for everyone

CVE-2024-3097 Scanner

CVE-2024-3097 scanner - Unauthenticated Information Disclosure vulnerability in NextGEN Gallery

SCAN NOW

Short Info


Level

Medium

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 sec

Scan only one

Url

Toolbox

-

NextGEN Gallery is a popular WordPress plugin used by website owners to manage and display image galleries. It is widely utilized by photographers, artists, and bloggers to showcase their visual content. The plugin allows users to upload, organize, and publish galleries with ease. Additionally, it supports various gallery styles and provides an intuitive interface for managing images. The vulnerability check focuses on unauthorized access to sensitive data within the plugin.

The vulnerability in NextGEN Gallery allows unauthenticated attackers to access sensitive image metadata. This occurs due to a missing capability check in the get_item function. Exploiting this flaw, attackers can extract EXIF and other metadata from any uploaded image. The vulnerability affects versions up to and including 3.59.

The NextGEN Gallery plugin lacks proper authorization checks in the get_item function, specifically in the REST API endpoint. The vulnerable endpoint is "/wp-json/ngg/v1/admin/block/image/1", which can be accessed without authentication. The plugin's failure to verify user permissions allows attackers to retrieve sensitive information. The metadata extracted includes EXIF data, potentially exposing location and camera details. Proper authorization checks are missing, making the data vulnerable to unauthorized access.

Exploitation of this vulnerability can lead to the exposure of sensitive image metadata. Attackers may use this information to gain insights into user activity, including location data from EXIF metadata. This could result in privacy breaches and unauthorized tracking of individuals. Furthermore, the disclosure of metadata might aid in planning further attacks or social engineering schemes. The vulnerability poses a risk to user privacy and security.

Join the SecurityforEveryone platform to ensure your digital assets are secure. Our comprehensive scans detect vulnerabilities like unauthorized information disclosure in widely used plugins such as NextGEN Gallery. By becoming a member, you'll receive detailed reports, timely alerts, and expert guidance on remediation. Protect your website, maintain user trust, and stay ahead of potential threats with our proactive security measures. SecurityforEveryone helps you safeguard your online presence effortlessly.

References:

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.
Try it yourself,
control security posture