Fooplugins Gallery By Foogallery vulnerabilities
11 known vulnerabilities affecting fooplugins/gallery_by_foogallery.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
1
Severity breakdown
MEDIUM11
Vulnerabilities
Page 1 of 1
CVE-2022-4974P2MEDIUMCVSS 6.3Exploitedfixed in 2.1.342024-10-16
CVE-2022-4974 [MEDIUM] CWE-862 CVE-2022-4974: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cr
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme runni
nvd
CVE-2024-13362P4MEDIUMCVSS 6.1≤ 2.4.272026-05-01
CVE-2024-13362 [MEDIUM] CWE-79 CVE-2024-13362: Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via th
Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into perfor
nvd
CVE-2024-2081P4MEDIUMCVSS 5.4≤ 2.4.142024-04-09
CVE-2024-2081 [MEDIUM] CWE-79 CVE-2024-2081: The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Si
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the foogallery_attachment_modal_save action in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above,
nvd
CVE-2024-2122P4MEDIUMCVSS 5.4≤ 2.4.152024-06-14
CVE-2024-2122 [MEDIUM] CWE-79 CVE-2024-2122: The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Si
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arb
nvd
CVE-2024-12119P4MEDIUMCVSS 5.4≤ 2.4.292025-03-08
CVE-2024-12119 [MEDIUM] CWE-79 CVE-2024-12119: The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for Wo
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the default_gallery_title_size parameter in all versions up to, and including, 2.4.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker
nvd
CVE-2025-6068P4MEDIUMCVSS 5.4≤ 2.4.312025-07-11
CVE-2025-6068 [MEDIUM] CWE-79 CVE-2025-6068: The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for Wo
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible
nvd
CVE-2024-12114P4MEDIUMCVSS 4.3≤ 2.4.292025-03-08
CVE-2024-12114 [MEDIUM] CWE-639 CVE-2024-12114: The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for Wo
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogallery_attachment_modal_save AJAX action due to missing validation on a user controlled key (img_id). This makes it possible for authent
nvd
CVE-2023-6747P4MEDIUMCVSS 5.4≤ 2.4.82024-01-03
CVE-2023-6747 [MEDIUM] CWE-79 CVE-2023-6747: The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Si
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for contributors and above to inject arbitrary web scripts in pages that will execute wh
nvd
CVE-2024-2471P4MEDIUMCVSS 5.4≤ 2.4.142024-04-06
CVE-2024-2471 [MEDIUM] CWE-79 CVE-2024-2471: The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachmen
The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields (such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type') in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with au
nvd
CVE-2025-15524P4MEDIUMCVSS 4.3≤ 3.1.92026-02-11
CVE-2025-15524 [MEDIUM] CWE-862 CVE-2025-15524: The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a
The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbna
nvd
CVE-2024-0604P4MEDIUMCVSS 4.8≤ 2.4.72024-02-29
CVE-2024-0604 [MEDIUM] CWE-79 CVE-2024-0604: The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Si
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrar
nvd