CVE-2023-28497 – WordPress Slideshow Gallery Plugin <= 1.7.6 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-28497
Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Slideshow Gallery LITE plugin <= 1.7.6 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Tribulant Slideshow Gallery LITE en versiones <= 1.7.6. The Slideshow Gallery LITE plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.6. This is due to missing or incorrect nonce validation on the admin_slides function. This makes it possible for unauthenticated attackers to delete slides via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/slideshow-gallery/wordpress-slideshow-gallery-lite-plugin-1-7-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2021-24882 – Slideshow Gallery < 1.7.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24882
The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed El plugin Slideshow Gallery de WordPress versiones anteriores a 1.7.4, no sanea ni escapa de los campos "Title" de la diapositiva, "Description" y "Title" de la galería, que podría permitir a usuarios con privilegios elevados llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando el unfiltered_html está deshabilitado • https://wpscan.com/vulnerability/6d71816c-8267-4b84-9087-191fbb976e72 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18018 – Slideshow Gallery <= 1.6.8 - SQL Injection
https://notcve.org/view.php?id=CVE-2018-18018
SQL Injection exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] or Gallery[title] parameter. El plugin Tribulant Slideshow Gallery 1.6.8 para WordPress es vulnerable a una inyección SQL a través del parámetro wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] o Gallery[title]. • https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html https://docs.google.com/document/d/1rwN4hJkD5TJfCa16rsGwzYhzL-ODd2VLkFnPvAIq4Ys/edit?usp=sharing • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2018-18017 – Slideshow Gallery <= 1.6.8 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18017
XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] or Gallery[title] parameter. El plugin Tribulant Slideshow Gallery 1.6.8 para WordPress es vulnerable a un Cross-site scripting (XSS) a través del parámetro wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] o Gallery[title]. • https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html https://docs.google.com/document/d/1rwN4hJkD5TJfCa16rsGwzYhzL-ODd2VLkFnPvAIq4Ys/edit?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18019 – Slideshow Gallery <= 1.6.8 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-18019
XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-slides&method=save Slide[title], Slide[media_file], or Slide[image_url] parameter. El plugin Tribulant Slideshow Gallery 1.6.8 para WordPress es vulnerable a un Cross-site scripting (XSS) a través del parámetro wp-admin/admin.php?page=slideshow-slides&method=save Slide[title], Slide[media_file], o Slide[image_url]. • https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html https://docs.google.com/document/d/1rwN4hJkD5TJfCa16rsGwzYhzL-ODd2VLkFnPvAIq4Ys/edit?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •