Responsive Lightbox & Gallery Security Vulnerabilities

CVE-2023-7130 code-projects College Notes Gallery login.php sql injection

A vulnerability has been found in code-projects College Notes Gallery 2.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file login.php. The manipulation of the argument user leads to sql injection. The exploit has been disclosed to the public and may....

CVE-2023-51373

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through...

CVE-2023-51373

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through...

CVE-2023-51373 WordPress Google Photos Gallery with Shortcodes Plugin <= 4.0.2 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through...

CVE-2023-51449

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio prior to 4.11.0 contained a vulnerability in the /file route which made them susceptible to file traversal...

Photo Gallery by 10Web < 1.8.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Widget

Description The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

CVE-2023-28491

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through...

CVE-2023-28491

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through...

Sql injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through...

CVE-2023-28491 WordPress Slideshow Gallery Plugin <= 1.7.6 is vulnerable to SQL Injection

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through...

CVE-2023-5413

The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5413

The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Cross site scripting

The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-5413

The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Image horizontal reel scroll slideshow < 13.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

WordPress Responsive Lightbox & Gallery Plugin < 2.4.6 XSS Vulnerability

The WordPress...

CVE-2023-49174

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through...

CVE-2023-49174

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through...

CVE-2023-49178

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through...

CVE-2023-49178

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through...

CVE-2023-49178 WordPress HDW Player Plugin (Video Player & Video Gallery) Plugin <= 5.0 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mr. Hdwplayer HDW Player Plugin (Video Player & Video Gallery) allows Reflected XSS.This issue affects HDW Player Plugin (Video Player & Video Gallery): from n/a through...

CVE-2023-49174 WordPress Responsive Lightbox Plugin <= 2.4.5 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dFactory Responsive Lightbox & Gallery allows Stored XSS.This issue affects Responsive Lightbox & Gallery: from n/a through...

CVE-2023-48771

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruno "Aesqe" Babic File Gallery allows Reflected XSS.This issue affects File Gallery: from n/a through...

CVE-2023-48771

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruno "Aesqe" Babic File Gallery allows Reflected XSS.This issue affects File Gallery: from n/a through...

Cross site scripting

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruno "Aesqe" Babic File Gallery allows Reflected XSS.This issue affects File Gallery: from n/a through...

CVE-2023-48771 WordPress File Gallery Plugin <= 1.8.5.4 is vulnerable to Cross Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruno "Aesqe" Babic File Gallery allows Reflected XSS.This issue affects File Gallery: from n/a through...

Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today! Last week, there were.....

CVE-2023-6572

Command Injection in GitHub repository gradio-app/gradio prior to...

Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting

On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject...

File Gallery <= 1.8.5.4 - Reflected Cross-Site Scripting via post_id

Description The File Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘post_id’ parameter in versions up to, and including, 1.8.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

HDW Player Plugin (Video Player & Video Gallery) <= 5.0 - Cross-Site Scripting

Description The HDW Player Plugin (Video Player & Video Gallery) plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web....

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 27, 2023 to December 3, 2023)

Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today! Last week, there were.....

CVE-2023-47548

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SoftLab Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site.This issue affects Integrate Google Drive – Browse, Upload, Download, Embed,...

CVE-2023-47548

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SoftLab Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site.This issue affects Integrate Google Drive – Browse, Upload, Download, Embed,...

Open redirect

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SoftLab Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site.This issue affects Integrate Google Drive – Browse, Upload, Download, Embed,...

CVE-2023-47548 WordPress Integrate Google Drive Plugin <= 1.3.2 is vulnerable to Open Redirection

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SoftLab Integrate Google Drive – Browse, Upload, Download, Embed, Play, Share, Gallery, and Manage Your Google Drive Files Into Your WordPress Site.This issue affects Integrate Google Drive – Browse, Upload, Download, Embed,...

Responsive Lightbox < 2.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via name

Description The Responsive Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level...

WordPress NextGEN Gallery Plugin < 3.39 CSRF Vulnerability

The WordPress...

CVE-2023-48328

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through...

CVE-2023-48328

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through...

Cross site request forgery (csrf)

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through...

CVE-2023-48328 WordPress NextGEN Gallery Plugin <= 3.37 is vulnerable to Cross Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress Gallery Plugin – NextGEN Gallery allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin – NextGEN Gallery: from n/a through...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023)

Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence...

Securing our home labs: Home Assistant code review

Introduction In July, the GitHub Security Lab team conducted a collaborative review of one of our favorite software pieces. While it's not uncommon for our Security Lab researchers to work together on audits and research projects, we found that conducting team audits occasionally provides a...

WordPress Photos and Files Contest Gallery Plugin < 10.4.5 CSRF Vulnerability

The WordPress...

WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE

Description The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code...

WP Mail Log < 1.1.3 – Contributor+ Arbitrary File Upload to RCE

Description The plugin does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution. PoC Run the following JS code in any page on the server, setting the id variable to a valid ID of a log entry on the...