CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2019-16117 – Photo Gallery by 10Web <= 1.5.34 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16117
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php. Secuencias de comandos de sitios cruzados (XSS) en el complemento de galería de fotos (10Web Photo Gallery) anterior de la versión 1.5.35 para WordPress existe a través de admin / models / Galleries.php. WordPress Photo Gallery plugin version 1.5.34 suffers from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/47372 http://packetstormsecurity.com/files/154433/WordPress-Photo-Gallery-1.5.34-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/models/Galleries.php?old=2135029&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fmodels%2FGalleries.php https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9872 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14313 – Photo Gallery by 10Web <= 1.5.30 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-14313
A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php. Se presenta una vulnerabilidad de inyección SQL en el plugin 10Web Photo Gallery anterior a versión 1.5.31 para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios en el sistema afectado por medio del archivo filemanager/model.php. • https://fortiguard.com/zeroday/FG-VD-19-101 https://plugins.trac.wordpress.org/changeset/2128378 https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9480 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14798 – Photo Gallery by 10Web <= 1.5.24 - Authenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2019-14798
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter. El plugin 10Web Photo Gallery en versiones anteriores a 1.5.25 para WordPress, presenta una Inclusión de Archivos Locales Autenticada por medio de un salto de directorio en el parámetro wp-admin/admin-ajax.php?action=shortcode_bwg tagtext. • https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9361 https://www.pluginvulnerabilities.com/2019/05/14/authenticated-local-file-inclusion-lfi-vulnerability-in-photo-gallery-by-10web • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14797 – Photo Gallery by 10Web <= 1.5.22 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14797
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS. El plugin 10Web Photo Gallery en versiones anteriores a 1.5.23 para WordPress, presenta una vulnerabilidad de tipo XSS almacenado autenticado. • https://wordpress.org/plugins/photo-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-10866 – Form Maker by 10Web <= 1.13.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2019-10866
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter. En el plugin de Form Maker anterior de la versión 1.13.3 para WordPress, es posible conseguir una inyección SQL en la función get_labels_parameters en el archivo form-maker/admin/models/Submissions_fm.php con un valor creado del parámetro /models/Submissioc. WordPress Form Maker plugin version 1.13.3 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/46958 http://seclists.org/fulldisclosure/2019/May/8 https://wordpress.org/plugins/form-maker/#developers https://wpvulndb.com/vulnerabilities/9286 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •