CVE-2022-0826

The WP Video Gallery WordPress plugin through 1.7.1 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action, leading to an SQL Injection exploitable by unauthenticated users...

CVE-2022-1946

The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...

CVE-2022-1282

The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $GET'imageurl' variable, which is reflected back to the users when executing the editimagebwg AJAX action...

CVE-2025-3742

CVE-2025-3742 affects the WordPress plugin “Responsive Lightbox & Gallery” (pre-2.5.1). The root cause is unvalidated/escaped attributes being output in pages/posts, enabling Stored Cross-Site Scripting for users with the contributor role and above. Impact is stored XSS in affected content, with ...

CVE-2024-5442

Summary of CVE-2024-5442 (NextGEN Gallery) : The WordPress plugin NextGEN Gallery (versions before 3.59.3) contains sanitization/escaping flaws in settings, enabling Stored Cross-Site Scripting by high-privilege users (e.g., administrators) even when unfiltered_html is disallowed (such as in mult...

Cross site request forgery (csrf)

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cgoptionid POST parameter before concatenating it to an SQL query in export-votes-all.php. This may allow malicious users with administrator privileges i.e. on multisite...

CVE-2022-4164 Contest Gallery < 19.1.5 - Author+ SQL Injection

The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cgmultiplefilesforpost POST parameter before concatenating it to an SQL query in 0change-gallery.php. This may allow malicious users with at least author privilege to leak...

CVE-2022-4158

The CVE-2022-4158 entry concerns the Contest Gallery WordPress plugin (versions prior to 19.1.5.1) and Contest Gallery Pro (prior to 19.1.5.1). The vulnerability arises from failing to escape the cg_Fields POST parameter before concatenating it into an SQL query within users-registry-check-regist...

CVE-2022-1946

The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting issue...

Cross site scripting

The Image Gallery WordPress plugin before 1.1.6 does not sanitize and escape some of its Image fields, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

Tidio Gallery <= 1.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)

The tidio-gallery WordPress plugin was affected by a Unauthenticated Reflected Cross-Site Scripting XSS security vulnerability. PoC http://www.example.com/wp-content/plugins/tidio-gallery/popup-insert-help.php?galleryId=""...

CVE-2015-2065

SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery contus-video-gallery plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in a rss action to wp-admin/admin-ajax.php...

Lazyest Gallery 0.10.4.3 - Multiple File/Directory Insecure Permissions Local Content Manipulation

The Lazyest Gallery WordPress plugin was affected by a Multiple File/Directory Insecure Permissions Local Content Manipulation security vulnerability...

bp-gallery 1.2.5 - Cross Site Scripting

The bp-gallery WordPress plugin was affected by a Cross Site Scripting security vulnerability...

Fancy Gallery 1.2.4 - Shell Upload

The radykal-fancy-gallery WordPress plugin was affected by a Shell Upload security vulnerability...