CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36756 – 10WebAnalytics <= 1.2.8 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36756
The 10WebAnalytics plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.8. This is due to missing or incorrect nonce validation on the create_csv_file() function. This makes it possible for unauthenticated attackers to create a CSV file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24139 – Photo Gallery by 10Web < 1.5.55 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-24139
Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. Una entrada no comprobada en el plugin Photo Gallery de WordPress (10Web Photo Gallery), versiones anteriores a 1.5.55, conlleva a una inyección SQL por medio del parámetro bwg_search_x en el archivo frontend/models/model.php • https://wpscan.com/vulnerability/2e33088e-7b93-44af-aa6a-e5d924f86e28 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9335 – Photo Gallery by 10Web <= 1.5.45 - Multiple Cross-Site Scripting Issues
https://notcve.org/view.php?id=CVE-2020-9335
Multiple stored XSS vulnerabilities exist in the 10Web Photo Gallery plugin before 1.5.46 WordPress. Successful exploitation of this vulnerability would allow a authenticated admin user to inject arbitrary JavaScript code that is viewed by other users. Múltiples vulnerabilidades de tipo XSS almacenado se presentan en el plugin 10Web Photo Gallery versiones anteriores a 1.5.46 en WordPress. Una explotación con éxito de esta vulnerabilidad permitiría a un usuario administrador autentificado inyectar código JavaScript arbitrario que es visualizado por otros usuarios. • https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/10088 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16118 – Photo Gallery by 10Web <= 1.5.34 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16118
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. Secuencias de comandos de sitios cruzados (XSS) en el plugin de galería de fotos (10Web Photo Gallery) anterior de la versión 1.5.35 para WordPress existe a través de admin / controllers / Options.php. WordPress Photo Gallery plugin version 1.5.34 suffers from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/47373 http://packetstormsecurity.com/files/154433/WordPress-Photo-Gallery-1.5.34-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.php?old=2142624&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FOptions.php https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.js?old=2135029&old_path=photo-gallery%2Ftrunk%2Fjs%2Fbwg.js https://wordpress.org/plugins/photo-gallery/#developers& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 94%CPEs: 1EXPL: 1CVE-2019-16119 – Photo Gallery by 10Web <= 1.5.34 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-16119
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter. La inyección SQL en el plugin de galería de fotos (10Web Photo Gallery) en versiones anteriores a la 1.5.35 para WordPress existe a través del parámetro admin/controllers/Albumsgalleries.php album_id. WordPress Photo Gallery plugin version 1.5.34 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/47371 http://packetstormsecurity.com/files/154432/WordPress-Photo-Gallery-1.5.34-SQL-Injection.html https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9872 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •