CVE-2022-1282Cross-site Scripting in Photo Gallery

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 56.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
10web Photo Gallery
Timeline
PublishedMay 2
Latest updateMay 3

Description

The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

NVD10web/photo_gallery< 1.6.3

Patches

Patch: plugins.trac.wordpress.orgPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-pvgm-8x6w-r3f9: The Photo Gallery by 10Web WordPress plugin before 12022-05-03
CVEList
Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting2022-05-02
CVE-2022-1282 — Cross-site Scripting in Photo Gallery | cvebase