CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16118 – Photo Gallery by 10Web <= 1.5.34 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16118
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. Secuencias de comandos de sitios cruzados (XSS) en el plugin de galería de fotos (10Web Photo Gallery) anterior de la versión 1.5.35 para WordPress existe a través de admin / controllers / Options.php. WordPress Photo Gallery plugin version 1.5.34 suffers from multiple cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/47373 http://packetstormsecurity.com/files/154433/WordPress-Photo-Gallery-1.5.34-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Options.php?old=2142624&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FOptions.php https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/js/bwg.js?old=2135029&old_path=photo-gallery%2Ftrunk%2Fjs%2Fbwg.js https://wordpress.org/plugins/photo-gallery/#developers& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 95%CPEs: 1EXPL: 1CVE-2019-16119 – Photo Gallery by 10Web <= 1.5.34 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-16119
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter. La inyección SQL en el plugin de galería de fotos (10Web Photo Gallery) en versiones anteriores a la 1.5.35 para WordPress existe a través del parámetro admin/controllers/Albumsgalleries.php album_id. WordPress Photo Gallery plugin version 1.5.34 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/47371 http://packetstormsecurity.com/files/154432/WordPress-Photo-Gallery-1.5.34-SQL-Injection.html https://plugins.trac.wordpress.org/changeset/2150912/photo-gallery/trunk/admin/controllers/Albumsgalleries.php?old=1845136&old_path=photo-gallery%2Ftrunk%2Fadmin%2Fcontrollers%2FAlbumsgalleries.php https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9872 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14313 – Photo Gallery by 10Web <= 1.5.30 - SQL Injection
https://notcve.org/view.php?id=CVE-2019-14313
A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php. Se presenta una vulnerabilidad de inyección SQL en el plugin 10Web Photo Gallery anterior a versión 1.5.31 para WordPress. La explotación con éxito de esta vulnerabilidad permitiría a un atacante remoto ejecutar comandos SQL arbitrarios en el sistema afectado por medio del archivo filemanager/model.php. • https://fortiguard.com/zeroday/FG-VD-19-101 https://plugins.trac.wordpress.org/changeset/2128378 https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9480 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14798 – Photo Gallery by 10Web <= 1.5.24 - Authenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2019-14798
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter. El plugin 10Web Photo Gallery en versiones anteriores a 1.5.25 para WordPress, presenta una Inclusión de Archivos Locales Autenticada por medio de un salto de directorio en el parámetro wp-admin/admin-ajax.php?action=shortcode_bwg tagtext. • https://wordpress.org/plugins/photo-gallery/#developers https://wpvulndb.com/vulnerabilities/9361 https://www.pluginvulnerabilities.com/2019/05/14/authenticated-local-file-inclusion-lfi-vulnerability-in-photo-gallery-by-10web • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14797 – Photo Gallery by 10Web <= 1.5.22 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14797
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS. El plugin 10Web Photo Gallery en versiones anteriores a 1.5.23 para WordPress, presenta una vulnerabilidad de tipo XSS almacenado autenticado. • https://wordpress.org/plugins/photo-gallery/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •