CVE-2021-25115 – WP Photo Album Plus < 8.0.10 - Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-25115
The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel. El plugin WP Photo Album Plus de WordPress versiones anteriores a 8.0.10, era vulnerable a un ataque de tipo Cross-Site Scripting (XSS) Almacenado. El contenido del registro de errores era manejado inapropiadamente, por lo que cualquier usuario, incluso no autenticado, podía causar una ejecución de javascript arbitrario en el panel de administración • https://plugins.trac.wordpress.org/changeset/2655859/wp-photo-album-plus https://wpscan.com/vulnerability/dbc18c2c-7547-44fc-8a41-c819757e47a7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-8814 – WP Photo Album Plus <= 5.4.17 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8814
The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘walbum’ parameter in versions up to, and including, 5.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •