CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32583 – WordPress Photo Gallery by 10Web plugin <= 1.8.21 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-32583
18 Apr 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Reflected XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.21. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en Photo Gallery Team Photo Gallery de 10Web permite Reflected XSS. Este problema afecta a Photo Gallery de 10Web: desde n/a hasta 1.8.21. • https://patchstack.com/database/vulnerability/photo-gallery/wordpress-photo-gallery-by-10web-plugin-1-8-21-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2296 – Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.21 - Authenticated (Admin+) Stored Cross-Site Scripting via SVG
https://notcve.org/view.php?id=CVE-2024-2296
05 Apr 2024 — The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.8.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfilte... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3058445%40photo-gallery&new=3058445%40photo-gallery&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29833 – WordPress Photo Gallery Plugin <= 1.8.21 Stored Cross Site Scripting in UploadHandler
https://notcve.org/view.php?id=CVE-2024-29833
26 Mar 2024 — The image upload component allows SVG files and the regular expression used to remove script tags can be bypassed by using a Cross Site Scripting payload which does not match the regular expression; one example of this is the inclusion of whitespace within the script tag. An attacker must target an authenticated user with permissions to access this feature, however once uploaded the payload is also accessible to unauthenticated users. El componente de carga de imágenes permite archivos SVG y la expresión re... • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29808 – WordPress Photo Gallery Plugin <= 1.8.21 Reflected Cross Site Scripting in editimage_bwg image_id
https://notcve.org/view.php?id=CVE-2024-29808
26 Mar 2024 — The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. El parámetro image_id de la llamada AJAX a la acción editimage_bwg de admin-ajax.php es vulnerable al Cros... • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29809 – WordPress Photo Gallery Plugin <= 1.8.21 Reflected Cross Site Scripting in editimage_bwg image_url
https://notcve.org/view.php?id=CVE-2024-29809
26 Mar 2024 — The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. El parámetro image_url de la llamada AJAX a la acción editimage_bwg de admin-ajax.php es vulnerable al C... • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29810 – WordPress Photo Gallery Plugin <= 1.8.21 Reflected Cross Site Scripting in editimage_bwg thumb_url
https://notcve.org/view.php?id=CVE-2024-29810
26 Mar 2024 — The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. El parámetro thumb_url de la llamada AJAX a la acción editimage_bwg de admin-ajax.php es vulnerable al C... • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29832 – WordPress Photo Gallery Plugin <= 1.8.21 Unauthenticated Reflected Cross Site Scripting in GalleryBox current_url
https://notcve.org/view.php?id=CVE-2024-29832
26 Mar 2024 — The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue. Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited. El parámetro current_url de la l... • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2112 – Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.22 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-2112
22 Mar 2024 — The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures. El complemento Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder para WordPress es vulnerable a la exposición de información confidencial en todas las version... • https://plugins.trac.wordpress.org/changeset?old_path=/form-maker/tags/1.15.22&old=3057012&new_path=/form-maker/tags/1.15.23&new=3057012&sfp_email=&sfph_mail= • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0667 – Form-Maker (twb_form-maker) <= 1.15.21 - Cross-Site Request Forgery to Limited Code Execution via Execute
https://notcve.org/view.php?id=CVE-2024-0667
26 Jan 2024 — The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El compleme... • https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.21/booster/controller.php#L34 • CWE-352: Cross-Site Request Forgery (CSRF) CWE-1078: Inappropriate Source Code Style or Formatting •
CVSS: 9.0EPSS: 6%CPEs: 1EXPL: 1CVE-2023-6985 – 10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2023-6985
25 Jan 2024 — The 10Web AI Assistant – AI content writing assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin AJAX action in all versions up to, and including, 1.0.18. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins that can be used to gain further access to a compromised site. El complemento 10Web AI Assistant – AI content writing assistant para WordPress es vulne... • https://github.com/RandomRobbieBF/CVE-2023-6985 • CWE-862: Missing Authorization •