CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39627 – WordPress Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin <= 3.59.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-39627
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Imagely NextGEN Gallery allows Stored XSS.This issue affects NextGEN Gallery: from n/a through 3.59.3. The NextGEN Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.59.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/nextgen-gallery/wordpress-photo-gallery-sliders-proofing-and-themes-nextgen-gallery-plugin-3-59-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37442 – WordPress Photo Gallery by Ays – Responsive Image Gallery plugin < 5.7.1 - HTML Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37442
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Photo Gallery Team Photo Gallery by Ays allows Code Injection.This issue affects Photo Gallery by Ays: from n/a before 5.7.1. La neutralización incorrecta de elementos especiales en la salida utilizada por una vulnerabilidad de componente posterior ('inyección') en Photo Gallery Team Photo Gallery by Ays permite la inyección de código. Este problema afecta a Photo Gallery by Ays: desde n/a antes de 5.7.1. The Photo Gallery by Ays – Responsive Image Gallery plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary HTML in pages that will render whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gallery-photo-gallery/wordpress-photo-gallery-by-ays-responsive-image-gallery-plugin-5-7-1-html-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37246 – WordPress Gallery Slideshow plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37246
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jethin Gallery Slideshow allows Stored XSS.This issue affects Gallery Slideshow: from n/a through 1.4.1. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Jethin Gallery Slideshow permite XSS almacenado. Este problema afecta a Gallery Slideshow: desde n/a hasta 1.4.1. The Gallery Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gallery-slideshow/wordpress-gallery-slideshow-plugin-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37095 – Envira Photo Gallery <= 1.8.7.3 - Cross-Site Request Forgery to Notice Dismissal
https://notcve.org/view.php?id=CVE-2024-37095
The Envira Photo Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.7.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35720 – WordPress Album Gallery – WordPress Gallery plugin <= 1.5.7 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-35720
Missing Authorization vulnerability in A WP Life Album Gallery – WordPress Gallery.This issue affects Album Gallery – WordPress Gallery: from n/a through 1.5.7. Vulnerabilidad de autorización faltante en A WP Life Album Gallery – WordPress Gallery. Este problema afecta a la Galería de álbumes – Galería de WordPress: desde n/a hasta 1.5.7. The Album Gallery – WordPress Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_album_gallery and _ag_save_settings functions in versions up to, and including, 1.5.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin settings. • https://patchstack.com/database/vulnerability/new-album-gallery/wordpress-album-gallery-wordpress-gallery-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •