Page 11 of 212 results (0.004 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2

The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers. El complemento Photos and Files Contest Gallery de WordPress anterior a 21.2.8.1 no sanitiza ni escapa a algunos parámetros, lo que podría permitir a usuarios no autenticados realizar ataques de Cross-Site Scripting a través de ciertos encabezados. The Photos and Files Contest Gallery – Contact Form, Upload Form, Social Share and Voting Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via headers in all versions up to 21.2.8.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://research.cleantalk.org/cve-2023-5307-photos-and-files-contest-gallery-contact-form-21-2-8-1-unauthenticated-stored-xss-via-http-headers https://wpscan.com/vulnerability/6fac1e09-21ab-430d-b56d-195e7238c08c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

The Automatic YouTube Gallery plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on the ajax_callback_save_api_key and ajax_callback_delete_cache functions in versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the plugin API key and delete the plugin cache. • CWE-862: Missing Authorization •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Hardik Kalathiya WP Gallery Metabox plugin <= 1.0.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Hardik Kalathiya WP Gallery Metabox en versiones &lt;= 1.0.0. The WP Gallery Metabox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the gallery_metabox() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wp-gallery-metabox/wordpress-wp-gallery-metabox-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

The Justified Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dismiss_how_to_use_notice' and 'dismiss_notice' functions in versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss admin notices. • CWE-862: Missing Authorization •

CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 2

Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Note: This has been disputed as not a valid vulnerability. • https://github.com/Trinity-SYT-SECURITY/arbitrary-file-upload-RCE/blob/main/Online%20Art%20gallery%20project%201.0.md https://www.chtsecurity.com/news/ad3cee07-3e35-45c0-97f9-811cce13dda9 https://www.chtsecurity.com/news/afe25fb4-55ac-45d9-9ece-cbc1edda2fb2%20 https://www.exploit-db.com/exploits/51524 • CWE-434: Unrestricted Upload of File with Dangerous Type •