CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1394 – Photo Gallery by 10Web <= 1.2.10 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-1394
28 Jan 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages action to wp-admin/admin-ajax.php. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el plugin Photo Gallery versiones anteriores a 1.2.11 para Wo... • https://packetstorm.news/files/id/130149 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 76%CPEs: 1EXPL: 5CVE-2014-9312 – Photo Gallery by 10Web <= 1.2.5 - Unrestricted File Upload
https://notcve.org/view.php?id=CVE-2014-9312
26 Jan 2015 — Unrestricted File Upload vulnerability in Photo Gallery 1.2.5. Existe una vulnerabilidad de subida de archivos sin restricciones en Photo Gallery 1.2.5. Photo Gallery Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the photo-gallery\photo-gallery.php script allows access to filemanager\UploadHandler.php. The post() method in UploadHandler.php • https://packetstorm.news/files/id/130104 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2015-1393 – Photo Gallery by 10Web <= 1.2.10 - Authenticated SQL Injection via asc_or_desc Parameter
https://notcve.org/view.php?id=CVE-2015-1393
23 Jan 2015 — SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php. Vulnerabilidad de inyección SQL en el plugin Photo Gallery anterior a 1.2.11 para WordPress permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro asc_or_desc en una solicitud para crear galería en la página gal... • https://packetstorm.news/files/id/130148 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-1055 – Photo Gallery by 10Web <= 1.2.7 - Unauthenticated Blind SQL Injection via order_by Parameter
https://notcve.org/view.php?id=CVE-2015-1055
12 Jan 2015 — SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. Vulnerabilidad de inyección SQL en el plugin Photo Gallery 1.2.7 para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro order_by en una acción GalleryBox en wp-admin/admin-ajax.php. • http://seclists.org/fulldisclosure/2015/Jan/36 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9380 – Photo Gallery by 10Web <= 1.2.41 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-9380
07 May 2014 — The photo-gallery plugin before 1.2.42 for WordPress has CSRF. El plugin photo-gallery anterior a la versión 1.2.42 para WordPress tiene CSRF. The Photo Gallery plugin before 1.2.42 for WordPress has CSRF. • https://wordpress.org/plugins/photo-gallery/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •