CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29809 – WordPress Photo Gallery Plugin <= 1.8.21 Reflected Cross Site Scripting in editimage_bwg image_url
https://notcve.org/view.php?id=CVE-2024-29809
The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. El parámetro image_url de la llamada AJAX a la acción editimage_bwg de admin-ajax.php es vulnerable al Cross Site Scripting reflejado. El valor del parámetro image_url está incrustado dentro de un JavaScript existente dentro de la respuesta, lo que permite insertar y ejecutar JavaScript arbitrario. • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin https://wordpress.org/plugins/photo-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29832 – WordPress Photo Gallery Plugin <= 1.8.21 Unauthenticated Reflected Cross Site Scripting in GalleryBox current_url
https://notcve.org/view.php?id=CVE-2024-29832
The current_url parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the current_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No authentication is required to exploit this issue. Note that other parameters within a AJAX call, such as image_id, must be valid for this vulnerability to be successfully exploited. El parámetro current_url de la llamada AJAX a la acción GalleryBox de admin-ajax.php es vulnerable al Cross Site Scripting reflejado. El valor del parámetro current_url está incrustado dentro de un JavaScript existente dentro de la respuesta, lo que permite insertar y ejecutar JavaScript arbitrario. • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin https://wordpress.org/plugins/photo-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29810 – WordPress Photo Gallery Plugin <= 1.8.21 Reflected Cross Site Scripting in editimage_bwg thumb_url
https://notcve.org/view.php?id=CVE-2024-29810
The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. El parámetro thumb_url de la llamada AJAX a la acción editimage_bwg de admin-ajax.php es vulnerable al Cross Site Scripting reflejado. El valor del parámetro thumb_url está incrustado dentro de un JavaScript existente dentro de la respuesta, lo que permite insertar y ejecutar JavaScript arbitrario. • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin https://wordpress.org/plugins/photo-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29808 – WordPress Photo Gallery Plugin <= 1.8.21 Reflected Cross Site Scripting in editimage_bwg image_id
https://notcve.org/view.php?id=CVE-2024-29808
The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The attacker must target a an authenticated user with permissions to access this component to exploit this issue. El parámetro image_id de la llamada AJAX a la acción editimage_bwg de admin-ajax.php es vulnerable al Cross Site Scripting reflejado. El valor del parámetro image_id está incrustado dentro de un JavaScript existente dentro de la respuesta, lo que permite insertar y ejecutar JavaScript arbitrario. • https://appcheck-ng.com/xss-vulnerabilities-discovered-10web-photogallery-wordpress-plugin https://wordpress.org/plugins/photo-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2112 – Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.22 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-2112
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures. El complemento Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 1.15.22 incluida a través de la funcionalidad de firma. Esto hace posible que atacantes no autenticados extraigan datos confidenciales, incluidas firmas de usuarios. • https://plugins.trac.wordpress.org/changeset?old_path=/form-maker/tags/1.15.22&old=3057012&new_path=/form-maker/tags/1.15.23&new=3057012&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/5652f9c3-3cc9-4541-8209-40117b4d25d9?source=cve • CWE-287: Improper Authentication •