Photo Gallery Security Vulnerabilities and Issues — Photo Gallery CVE List

Lucene search

10webPhoto Gallery

11 matches found

CVE•added 2019/09/08 11:15 p.m.•141 views

CVE-2019-16118

Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php.

6.1CVSS6.1AI score0.02707EPSS

CVE•added 2019/09/08 11:15 p.m.•133 views

CVE-2019-16117

Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php.

6.1CVSS5.5AI score0.01799EPSS

CVE•added 2022/05/02 4:15 p.m.•84 views

CVE-2022-1282

The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

6.1CVSS6.2AI score0.00275EPSS

CVE•added 2023/06/07 2:15 p.m.•78 views

CVE-2021-46889

The 10Web Photo Gallery plugin through 1.5.69 for WordPress allows XSS via theme_id for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-31693.

6.1CVSS5.9AI score0.14622EPSS

CVE•added 2021/05/14 12:15 p.m.•68 views

CVE-2021-24291

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authent...

6.1CVSS5.9AI score0.14622EPSS

CVE•added 2015/02/02 3:59 p.m.•56 views

CVE-2015-1393

SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php.

6.5CVSS8.1AI score0.00318EPSS

CVE•added 2024/03/26 4:15 p.m.•55 views

CVE-2024-29832

The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No a...

6.1CVSS6.7AI score0.00097EPSS

CVE•added 2024/06/07 10:15 a.m.•50 views

CVE-2024-5426

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

6.4CVSS5.5AI score0.0026EPSS

CVE•added 2021/12/06 4:15 p.m.•48 views

CVE-2021-25041

The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action

6.1CVSS5.9AI score0.00149EPSS

CVE•added 2025/03/31 6:15 a.m.•46 views

CVE-2025-0613

The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

6.1CVSS7.2AI score0.00092EPSS

CVE•added 2021/08/16 11:15 a.m.•43 views

CVE-2021-24362

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be ...

6.1CVSS5.9AI score0.00288EPSS