CVSS: 9.0EPSS: 11%CPEs: 1EXPL: 3CVE-2020-28688 – Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork
https://notcve.org/view.php?id=CVE-2020-28688
16 Nov 2020 — The add artwork functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files. La funcionalidad add artwork en ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT AND MYSQL versión 1.0, permite a atacantes remotos cargar archivos Artworks Gallery version 1.0 suffers from multiple remote shell upload vulnerabilities. • https://packetstorm.news/files/id/160095 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-7482 – ReFlex Gallery < 1.4.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-7482
22 Aug 2019 — The reflex-gallery plugin before 1.4.3 for WordPress has XSS. El plugin reflex-gallery anterior a 1.4.3 para WordPress tiene XSS. The reflex-gallery plugin before 1.4.3 for WordPress has XSS via Edit Content URL field. • https://wordpress.org/plugins/reflex-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-17869 – mgl-instagram-gallery Plugin (Unknown Versions) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17869
22 Dec 2017 — The mgl-instagram-gallery plugin for WordPress has XSS via the single-gallery.php media parameter. El plugin mgl-instagram-gallery para WordPress contiene XSS mediante el parámetro multimedia single-gallery.php. • https://cxsecurity.com/issue/WLB-2017120183 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 14%CPEs: 1EXPL: 1CVE-2016-10940 – ZM Gallery <= 1.0 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2016-10940
16 Dec 2016 — The zm-gallery plugin 1.0 for WordPress has SQL injection via the order parameter. El plugin zm-gallery versión 1.0 para WordPress, presenta una inyección SQL por medio del parámetro order. • http://lenonleite.com.br/en/2016/12/16/zm-gallery-1-plugin-wordpress-blind-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 4%CPEs: 1EXPL: 1CVE-2016-1000153 – Tidio Gallery <= 1.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-1000153
10 Oct 2016 — Reflected XSS in wordpress plugin tidio-gallery v1.1 Vulnerabilidad de XSS reflejada en el plugin de wordpress tidio-gallery v1.1 Reflected XSS in wordpress plugin tidio-gallery v1.1 via galleryId parameter. • http://www.securityfocus.com/bid/93543 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 5CVE-2015-7527 – Cool Video Gallery <= 1.9 - Authenticated Command Injection
https://notcve.org/view.php?id=CVE-2015-7527
02 Dec 2015 — lib/core.php in the Cool Video Gallery plugin 1.9 for WordPress allows remote attackers to execute arbitrary code via shell metacharacters in the "Width of preview image" and possibly other input fields in the "Video Gallery Settings" page. lib/core.php en el plugin Cool Video Gallery 1.9 para WordPress permite a atacantes remotos ejecutar código arbitrario a través de meta carácteres shell en el 'Ancho de la imagen de vista previa' y posiblemente en otros campos de entrada en la página 'Video Gallery Setti... • https://packetstorm.news/files/id/134626 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-9327 – Flickr Justified Gallery < 3.4.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-9327
28 Jul 2015 — The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS. El plugin flickr-justified-gallery anterior a la versión de 3.4.0 para WordPress tiene XSS. The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS via several parameters. • https://wordpress.org/plugins/flickr-justified-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 8%CPEs: 1EXPL: 1CVE-2015-1000007 – wptf-image-gallery <= 1.0.3 - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2015-1000007
18 Jul 2015 — Remote file download vulnerability in wptf-image-gallery v1.03 Vulnerabilidad de descarga de archivo remoto en wptf-image-gallery v1.03 The wptf-image-gallery plugin for WordPress is vulnerable to Arbitrary File Downloads in versions up to, and including, 1.0.3 via the './wptf-image-gallery/lib-mbox/ajax_load.php' file. This makes it possible for unauthenticated attackers to download sensitive files from the vulnerable system. • http://www.vapidlabs.com/advisory.php?v=148 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5682 – Powerplay Gallery <= 3.3 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2015-5682
01 Jul 2015 — upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to create arbitrary directories via vectors related to the targetDir variable. El plugin Powerplay Gallery 3.3 para WordPress presenta una vulnerabilidad en el archivo Upload.php, que permite a atacantes remotos crear directorios arbitrarios a través de vectores relacionados con la variable targetDir. • http://www.openwall.com/lists/oss-security/2015/07/27/8 • CWE-264: Permissions, Privileges, and Access Controls CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 4CVE-2015-5599 – Powerplay Gallery <= 3.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-5599
27 Jun 2015 — Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name parameter. Vulnerabilidad de inyección SQL múltiple en upload.php en el plugin Powerplay Gallery 3.3 para WordPress, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un parámetro (1) albumid o (2) nombre. • http://packetstormsecurity.com/files/132671/WordPress-WP-PowerPlayGallery-3.3-File-Upload-SQL-Injection.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •