Gallery – Flagallery Photo Portfolio [CSRF → File Upload]

Gallery – Flagallery Photo Portfolio WordPress plugin suffers from a CSRF vulnerability that could lead to arbitrary file uploads.


Plugin implements the AJAX action flag_banner_crunch which calls the function flag_banner_crunch. This function doesn’t take any anti-CSRF measures thus making it susceptible to those kind of attacks.

Function will copy a file defined in the $_POST['path'] param. A malicious actor can leverage the CSRF vulnerability to copy arbitrary files on the infected server from a remote or local origin.

Note that uploads are limited to allowed filetypes by default. Even so if the tricked user has the unfiltered_uploads capability then those restrictions won’t apply.


<form method="post" action="">
    <input type="hidden" name="action" value="flag_banner_crunch">
    <input type="text" name="path" value="">
    <button type="submit" value="Submit">Submit</button>

  • 2019-03-17:
  • 2019-03-17:
    Vendor notified through contact form on
  • 2019-03-22:
    Vendor replied
  • 2019-03-23:
    Vendor received details