CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

415 matches found

WordPress Spider Calendar <=1.5.65 - Cross-Site Scripting

WorsPress Spider Calendar plugin through 1.5.65 is susceptible to cross-site scripting. The plugin does not sanitize and escape the callback parameter before outputting it back in the page via the window AJAX action, available to both unauthenticated and authenticated users. An attacker can injec...

6.1CVSS5.9AI score0.01167EPSS

Exploits2References3

Nuclei•added 8 hours ago•34 views

WordPress Photo Gallery by 10Web <1.5.69 - Cross-Site Scripting

WordPress Photo Gallery by 10Web plugin before 1.5.69 contains multiple reflected cross-site scripting vulnerabilities via the galleryid, tag, albumid and themeid GET parameters passed to the bwgfrontenddata AJAX action, available to both unauthenticated and authenticated users. id: CVE-2021-2429...

6.1CVSS6.4AI score0.14622EPSS

Exploits2References3

Nuclei•added 8 hours ago•25 views

Image Optimizer by 10web < 1.0.26 - Cross-Site Scripting

Image Optimizer by 10web before 1.0.26 is susceptible to cross-site scripting via the iowdtabsactive parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can...

6.1CVSS6.9AI score0.17762EPSS

Exploits2References3

Nuclei•added 8 hours ago•30 views

Seo By 10Web < 1.2.7 - Cross-Site Scripting

The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. id:...

4.8CVSS6.7AI score0.01329EPSS

Exploits3References3

Nuclei•added 3 days ago•54 views

Photo Gallery by 10Web < 1.6.0 - SQL Injection

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwgtagidbwgthumbnails0 parameter before using it in a SQL statement via the bwgfrontenddata AJAX action available to unauthenticated and authenticated users, leading to an unauthenticated SQL injection id:...

9.8CVSS7.4AI score0.82155EPSS

Exploits4References4

CVE•added 2026/05/28 7:43 a.m.•13 views

CVE-2026-7048

The CVE-2026-7048 entry concerns the WordPress plugin Photo Gallery by 10Web – Mobile-Friendly Image Gallery. A time-based blind SQL Injection exists via the order_by parameter in all versions up to and including 1.8.40, caused by insufficient escaping and incomplete SQL query preparation. Authen...

6.5CVSS5.9AI score0.00058EPSS

Exploits0References10

Positive Technologies•added 2026/03/13 12:0 a.m.•1 views

PT-2026-25178

CVE-2026-32330 Cross-Site Request Forgery CSRF vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Cross Site Request Forgery.This issue affects Photo Gallery by 10… https://t.co/rDg6UMog3V...

4.3CVSS5.8AI score0.0002EPSS

Exploits0References3

Vulnrichment•added 2026/02/19 8:35 p.m.•1 views

CVE-2026-27360 WordPress Photo Gallery by 10Web plugin <= 1.8.37 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through = 1.8.37...

5.5AI score0.00042EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 10:9 a.m.•6 views

CVE-2019-11590

The 10Web Form Maker plugin before 1.13.5 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $POST'action' value and the $GET'action' value, and the latter is...

8.8CVSS6.9AI score0.00183EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 9:6 a.m.•5 views

CVE-2024-34437

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Stored XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.24...

5.9CVSS5.2AI score0.00135EPSS

Exploits0References1

RedhatCVE•added 2026/01/07 9:32 a.m.•6 views

CVE-2019-16118

Cross site scripting XSS in the photo-gallery 10Web Photo Gallery plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php...

6.1CVSS6.1AI score0.02552EPSS

Exploits4References1

RedhatCVE•added 2026/01/07 9:31 a.m.•10 views

CVE-2019-16119

SQL injection in the photo-gallery 10Web Photo Gallery plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php albumid parameter...

9.8CVSS8AI score0.34044EPSS

Exploits4References1

RedhatCVE•added 2026/01/07 9:30 a.m.•5 views

CVE-2019-16117

Cross site scripting XSS in the photo-gallery 10Web Photo Gallery plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php...

6.1CVSS6.1AI score0.01645EPSS

Exploits5References1

Patchstack•added 2025/12/08 6:41 a.m.•6 views

WordPress 10Web Booster plugin <= 2.32.7 - Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache vulnerability

Authenticated Subscriber+ Arbitrary Folder Deletion via twoclearpagecache vulnerability discovered by shark3y in WordPress Plugin 10Web Booster – Website speed optimization, Cache & Page Speed optimizer versions = 2.32.7...

9.6CVSS4.6AI score0.00086EPSS

Exploits2References1Affected Software1