CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-0613 – Photo Gallery < 1.8.34 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2025-0613
31 Mar 2025 — The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed • https://wpscan.com/vulnerability/22be2b44-cd42-4b02-8448-59dd2989dde1 •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13124 – Photo Gallery by 10Web < 1.8.33 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13124
02 Mar 2025 — The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery Titles in all versions up to, and including, 1.8.32 due to insufficient input... • https://wpscan.com/vulnerability/5b3bf87b-73a1-47e8-bb00-0dfded07b191 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10704 – Photo Gallery by 10Web < 1.8.31 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10704
14 Nov 2024 — The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery Titles in all versions up to, and including, 1.8.30 due to insufficient input... • https://wpscan.com/vulnerability/6c115117-11c0-4c9e-9988-8547c9364c01 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9878 – Photo Gallery by 10Web <= 1.8.30 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-9878
04 Nov 2024 — The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations ... • https://packetstormsecurity.com/files/179357/WordPress-Photo-Gallery-1.8.26-Cross-Site-Scripting.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-5968 – Photo Gallery by 10Web <= 1.8.27 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-5968
09 Oct 2024 — The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) • https://wpscan.com/vulnerability/db73e8d8-feb1-4daa-937e-a73969a93bcc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8670 – Photo Gallery by 10Web <= 1.8.28 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-8670
03 Oct 2024 — The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations ... • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-44043 – WordPress Photo Gallery by 10Web plugin <= 1.8.27 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-44043
23 Sep 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.27. The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.8.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above,... • https://patchstack.com/database/vulnerability/photo-gallery/wordpress-photo-gallery-by-10web-mobile-friendly-image-gallery-plugin-1-8-27-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5481 – Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Path Traversal via esc_dir Function
https://notcve.org/view.php?id=CVE-2024-5481
06 Jun 2024 — The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitrary files on the server, which can contain sensitive information, and to cut (delete) arbitrary directories, including the root WordPress directory. By default this can be exploited by administrators only. In the premium version of ... • https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/controller.php#L178 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-35: Path Traversal: '.../ •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5426 – Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG
https://notcve.org/view.php?id=CVE-2024-5426
06 Jun 2024 — The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure Photo Gall... • https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/filemanager/UploadHandler.php#L521 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35628 – WordPress Photo Gallery by 10Web plugin <= 1.8.25 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35628
27 May 2024 — Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.25. Vulnerabilidad de autorización faltante en Photo Gallery Team Photo Gallery de 10Web. Este problema afecta a Photo Gallery de 10Web: desde n/a hasta 1.8.24. The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the dismiss_notice function in all versions up to, a... • https://patchstack.com/database/vulnerability/photo-gallery/wordpress-photo-gallery-by-10web-plugin-1-8-23-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •