CVE-2017-20207
Published: 18 October 2025
Summary
CVE-2017-20207 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Dancoulter Flickr Gallery. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely remediation of flaws like the PHP Object Injection in the Flickr Gallery plugin, directly preventing exploitation via patching as provided in changeset 1737576.
SI-10 mandates validation of untrusted input such as the 'pager' parameter, blocking malicious serialized data deserialization before object injection occurs.
SI-3 deploys malicious code protection to identify and block backdoors created via WP_Theme() class exploitation from the object injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress plugin via PHP object injection (T1190), actively used to create backdoors consistent with web shells (T1100).
NVD Description
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were…
more
actively exploiting this vulnerability with the WP_Theme() class to create backdoors.
Deeper analysisAI
CVE-2017-20207 is a PHP Object Injection vulnerability (CWE-502) in the Flickr Gallery plugin for WordPress, affecting versions up to and including 1.5.2. The issue arises from deserialization of untrusted input via the "pager" parameter, enabling attackers to inject arbitrary PHP objects. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By supplying malicious serialized data in the "pager" parameter, they can trigger object injection, which has been actively used in the wild with the WP_Theme() class to create backdoors on affected sites.
Advisories from Wordfence highlight this as one of three zero-day plugin vulnerabilities exploited in the wild in 2017, with a patch available in the WordPress plugin trac changeset 1737576 for Flickr Gallery. Security practitioners should ensure the plugin is updated beyond version 1.5.2 to mitigate the issue, and monitor Wordfence threat intelligence for related indicators.
This vulnerability saw active real-world exploitation shortly after disclosure, demonstrating the risks of unpatched WordPress plugins handling serialized data.
Details
- CWE(s)