Wpo-Hr Ngg Smart Image Search vulnerabilities
4 known vulnerabilities affecting wpo-hr/ngg_smart_image_search.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2025-52832P2CRITICALCVSS 9.3≤ 3.4.12025-07-04
CVE-2025-52832 [CRITICAL] CWE-89 CVE-2025-52832: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows SQL Injection.This issue affects NGG Smart Image Search: from n/a through <= 3.4.1.
nvd
CVE-2025-58027P4MEDIUMCVSS 6.5≤ 3.4.32025-09-22
CVE-2025-58027 [MEDIUM] CWE-79 CVE-2025-58027: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows Stored XSS.This issue affects NGG Smart Image Search: from n/a through <= 3.4.3.
nvd
CVE-2025-47503P4MEDIUMCVSS 6.5≤ 3.3.32025-05-07
CVE-2025-47503 [MEDIUM] CWE-79 CVE-2025-47503: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows Stored XSS.This issue affects NGG Smart Image Search: from n/a through <= 3.3.3.
nvd
CVE-2024-13658P4MEDIUMCVSS 5.4fixed in 3.3.2≤ 3.2.12025-02-12
CVE-2024-13658 [MEDIUM] CWE-79 CVE-2024-13658: The NGG Smart Image Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the
The NGG Smart Image Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hr_SIS_nextgen_searchbox' shortcode in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-leve
nvd