Unknown Photo Gallery By 10Web vulnerabilities

CVE-2024-8670 [MEDIUM] CWE-79 CVE-2024-8670: The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2025-0613 [MEDIUM] CWE-79 CVE-2025-0613: The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment ad The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

CVE-2024-13124 [LOW] CWE-79 CVE-2024-13124: The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-10704 [MEDIUM] CWE-79 CVE-2024-10704: The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2024-5968 [MEDIUM] CWE-79 CVE-2024-5968: The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape som The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2023-1427 [MEDIUM] CWE-22 CVE-2023-1427: - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are k - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.

CVE-2022-4058 [MEDIUM] CWE-79 CVE-2022-4058: The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameter The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page under their control.

CVE-2021-24139 [CRITICAL] CWE-89 CVE-2021-24139: Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.5 Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter.