Lucene search
K

5 matches found

CNVD
CNVD
added 2021/06/15 12:0 a.m.23 views

WordPress Gallery from files plugin cross-site scripting vulnerability

WordPress is a blogging platform developed by the WordPress Wordpress Foundation using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.Gallery from files is a plugin for WordPress. A cross-site scripting vulnerability exists in WordPress Gallery from...

6.1CVSS6.1AI score0.00412EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2021/06/14 12:0 a.m.8 views

PT-2021-15885 · WordPress · This Gallery From Files

Name of the Vulnerable Software and Affected Versions: This Gallery from files WordPress plugin versions 1.6.0 and earlier Description: The issue arises from the improper sanitization of filenames before being output in an error message when they have an invalid extension, leading to a reflected...

6.1CVSS6.1AI score0.00412EPSS
Exploits2References7
WPVulnDB
WPVulnDB
added 2021/05/26 12:0 a.m.26 views

Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)

This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also b...

6.1CVSS6.1AI score0.00412EPSS
Exploits2Affected Software1
WPVulnDB
WPVulnDB
added 2021/05/26 12:0 a.m.13 views

Gallery From Files <= 1.6.0 - Unauthenticated RCE

The upload feature of the plugin does not properly check for the allowed extensions, allowing them to be set in the request and attempting to remove the dangerous ones such as .php and .js, but forgetting about .php4, .html etc. As a result, unauthenticated users could upload arbitrary .php4 file...

0.1AI score
Exploits0Affected Software1
Patchstack
Patchstack
added 2021/05/26 12:0 a.m.10 views

WordPress Gallery from files plugin <= 1.60 - Unauthenticated Remote Code Execution (RCE) vulnerability

Unauthenticated Remote Code Execution RCE vulnerability discovered by WPScanTeam in WordPress Gallery from files plugin versions = 1.60. Solution This plugin has been closed as of May 24, 2021 and is not available for download. This closure is temporary, pending a full review...

4.9AI score
Exploits0References2Affected Software1
Rows per page
Query Builder