12 results (0.055 seconds)

CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0

The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/tags/8.8.08.004/wppa-ajax.php#L1238 https://plugins.trac.wordpress.org/changeset/3184852 https://wordpress.org/plugins/wp-photo-album-plus/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/53bb0871-343a-4299-9902-682c422152d1?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wppa-tab' parameter in all versions up to, and including, 8.8.05.003 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento WP Photo Album Plus para WordPress es vulnerable a ataques de Cross-Site Scripting reflejado a través del parámetro 'wppa-tab' en todas las versiones hasta la 8.8.05.003 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en páginas que se ejecutan si logran engañar a un usuario para que realice una acción, como hacer clic en un enlace. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3170202%40wp-photo-album-plus&new=3170202%40wp-photo-album-plus&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/3a4f0c06-db88-4950-b1f5-b2aab480c974?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Stored XSS.This issue affects WP Photo Album Plus: from n/a through 8.8.02.002. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en JN Breetvelt, también conocido como OpaJaap WP Photo Album Plus, permite XSS almacenado. Este problema afecta a WP Photo Album Plus: desde n/a hasta 8.8.02.002. • https://patchstack.com/database/vulnerability/wp-photo-album-plus/wordpress-wp-photo-album-plus-plugin-8-8-01-007-authenticated-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Reflected XSS.This issue affects WP Photo Album Plus: from n/a through 8.8.00.002. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en JN Breetvelt, también conocido como OpaJaap WP Photo Album Plus, permite XSS reflejado. Este problema afecta a WP Photo Album Plus: desde n/a hasta 8.8.00.002. • https://patchstack.com/database/vulnerability/wp-photo-album-plus/wordpress-wp-photo-album-plus-plugin-8-8-00-002-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. El complemento WP Photo Album Plus para WordPress es vulnerable a la ejecución arbitraria de códigos cortos en todas las versiones hasta la 8.7.02.003 incluida. Esto se debe a que el complemento permite a usuarios no autenticados ejecutar una acción que no valida correctamente un valor antes de ejecutar do_shortcode. • https://plugins.trac.wordpress.org/browser/wp-photo-album-plus/trunk/wppa-ajax.php#L1138 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078746%40wp-photo-album-plus&new=3078746%40wp-photo-album-plus&sfp_email=&sfph_mail=#file3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3079831%40wp-photo-album-plus&new=3079831%40wp-photo-album-plus&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/3d6b95ee • CWE-94: Improper Control of Generation of Code ('Code Injection') •