cbcvebase.

10Web Photo Gallery vulnerabilities

49 known vulnerabilities affecting 10web/photo_gallery.

Total CVEs
49
CISA KEV
0
Public exploits
7
Exploited in wild
3
Severity breakdown
CRITICAL5HIGH6MEDIUM37LOW1

Vulnerabilities

Page 2 of 3
CVE-2024-29809P4MEDIUMCVSS 5.4fixed in 1.8.222024-03-26
CVE-2024-29809 [MEDIUM] CWE-79 CVE-2024-29809: The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with perm
nvd
CVE-2024-29808P4MEDIUMCVSS 5.4fixed in 1.8.222024-03-26
CVE-2024-29808 [MEDIUM] CWE-79 CVE-2024-29808: The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permiss
nvd
CVE-2024-29810P4MEDIUMCVSS 5.4fixed in 1.8.222024-03-26
CVE-2024-29810 [MEDIUM] CWE-79 CVE-2024-29810: The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with perm
nvd
CVE-2024-33586P4MEDIUMCVSS 5.3fixed in 1.8.212024-04-29
CVE-2024-33586 [MEDIUM] CWE-862 CVE-2024-33586: Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.20.
nvd
CVE-2021-24362P4MEDIUMCVSS 6.1fixed in 1.5.752021-08-16
CVE-2021-24362 [MEDIUM] CWE-79 CVE-2021-24362: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not en The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the
nvd
CVE-2019-14797P4MEDIUMCVSS 5.4fixed in 1.5.232019-08-09
CVE-2019-14797 [MEDIUM] CWE-79 CVE-2019-14797: The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS. The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.
nvd
CVE-2024-5426P4MEDIUMCVSS 5.4fixed in 1.8.242024-06-07
CVE-2024-5426 [MEDIUM] CWE-79 CVE-2024-5426: The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Sto The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that wil
nvd
CVE-2022-1282P4MEDIUMCVSS 6.1fixed in 1.6.32022-05-02
CVE-2022-1282 [MEDIUM] CWE-79 CVE-2022-1282: The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.
nvd
CVE-2015-1394P4MEDIUMCVSS 5.4fixed in 1.2.112020-02-08
CVE-2015-1394 [MEDIUM] CWE-79 CVE-2015-1394: Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for Wo Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages act
nvd
CVE-2023-1427P4MEDIUMCVSS 4.9fixed in 1.8.152023-04-17
CVE-2023-1427 [MEDIUM] CWE-22 CVE-2023-1427: - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are k - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.
nvd
CVE-2021-25041P4MEDIUMCVSS 6.1fixed in 1.5.682021-12-06
CVE-2021-25041 [MEDIUM] CWE-79 CVE-2021-25041: The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scri The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action
nvd
CVE-2021-46889P4MEDIUMCVSS 6.1≤ 1.5.692023-06-07
CVE-2021-46889 [MEDIUM] CVE-2021-46889: The 10Web Photo Gallery plugin through 1.5.69 for WordPress allows XSS via theme_id for bwg_frontend The 10Web Photo Gallery plugin through 1.5.69 for WordPress allows XSS via theme_id for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-31693.
nvd
CVE-2021-31693P4MEDIUMCVSS 6.1≤ 1.5.682022-11-29
CVE-2021-31693 [MEDIUM] CVE-2021-31693: The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_a The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMware information, previously connected to this CVE ID because of a typo, is at CVE-2022-31693.
nvd
CVE-2024-32583P4MEDIUMCVSS 6.1fixed in 1.8.222024-04-18
CVE-2024-32583 [MEDIUM] CWE-79 CVE-2024-32583: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Reflected XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.21.
nvd
CVE-2022-4058P4MEDIUMCVSS 5.4fixed in 1.8.32022-12-19
CVE-2022-4058 [MEDIUM] CWE-79 CVE-2022-4058: The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameter The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control.
nvd
CVE-2015-2324P4MEDIUMCVSS 5.4fixed in 1.2.132018-02-19
CVE-2015-2324 [MEDIUM] CWE-79 CVE-2015-2324: Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.1 Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors.
nvd
CVE-2023-33995P4MEDIUMCVSS 4.3fixed in 1.8.162024-12-13
CVE-2023-33995 [MEDIUM] CWE-862 CVE-2023-33995: Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Exploiting I Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Gallery by 10Web: from n/a through 1.8.15.
nvd
CVE-2021-24310P4MEDIUMCVSS 4.8fixed in 1.5.672021-06-01
CVE-2021-24310 [MEDIUM] CVE-2021-24310: The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not pr The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE
nvd
CVE-2020-9335P4MEDIUMCVSS 4.8fixed in 1.5.462020-02-25
CVE-2020-9335 [MEDIUM] CWE-79 CVE-2020-9335: Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users.
nvd
CVE-2024-10704P4MEDIUMCVSS 4.8fixed in 1.8.312024-11-29
CVE-2024-10704 [MEDIUM] CWE-79 CVE-2024-10704: The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
nvd
10Web Photo Gallery vulnerabilities | cvebase