CVSS: 9.8EPSS: 62%CPEs: 1EXPL: 3CVE-2015-4133 – ReFlex Gallery » WordPress Photo Gallery < 3.1.4 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2015-4133
16 Mar 2015 — Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in uploads/ directory. Vulnerabilidad de la subida de ficheros sin restricciones en admin/scripts/FileUploader/php.php en el plugin ReFlex Gallery anterior a 3.1.4 para WordPress permite a atacantes remotos ejecutar código PHP arbit... • https://www.exploit-db.com/exploits/36809 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2014-9441 – Lightbox Photo Gallery <= 1.0 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-9441
12 Dec 2014 — Multiple cross-site request forgery (CSRF) vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) ll__opt[image2_url] or (3) ll__opt[image3_url] parameter in a ll_save_settings action to wp-admin/admin-ajax.php. Múltiples vulnerabilidades de CSRF en el plugin Lightbox Photo Gallery 1.0 para WordPre... • http://packetstormsecurity.com/files/129507 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125096 – Fancy Gallery Plugin Options Page class.options.php cross site scripting
https://notcve.org/view.php?id=CVE-2014-125096
20 Nov 2014 — A vulnerability was found in Fancy Gallery Plugin 1.5.12 on WordPress. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file class.options.php of the component Options Page. The manipulation leads to cross site scripting. The attack can be launched remotely. • https://github.com/wp-plugins/fancy-gallery/commit/fdf1f9e5a1ec738900f962e69c6fa4ec6055ed8d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 4CVE-2014-6315 – Photo Gallery by 10Web <= 1.1.30 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-6315
01 Oct 2014 — Multiple cross-site scripting (XSS) vulnerabilities in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) callback, (2) dir, or (3) extensions parameter in an addImages action to wp-admin/admin-ajax.php. Múltiples vulnerabilidades de XSS en el plugin Web-Dorado Photo Gallery 1.1.30 y anteriores para WordPress permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1... • https://packetstorm.news/files/id/128518 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 4CVE-2014-5201 – Gallery Objects <= 0.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-5201
12 Aug 2014 — SQL injection vulnerability in the Gallery Objects plugin 0.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the viewid parameter in a go_view_object action to wp-admin/admin-ajax.php. Vulnerabilidad de inyección SQL en el plugin Gallery Objects 0.4 para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro viewid en una acción go_view_object en wp-admin/admin-ajax.php. • https://www.exploit-db.com/exploits/34105 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2014-5186 – All Video Gallery Plugin for WordPress <= 1.2 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2014-5186
28 May 2014 — SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php. Vulnerabilidad de inyección SQL en el plugin All Video Gallery (all-video-gallery) 1.2 para WordPress permite a administradores remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro id en una acción edit en la página... • http://codevigilant.com/disclosure/wp-plugin-all-video-gallery-a1-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2014-4553 – WP-RSS-Spreadshirt-3DCube-Gallery <= 1.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4553
25 May 2014 — Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin 2014 for WordPress allows remote attackers to execute arbitrary web script or HTML via unspecified parameters. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en el plugin spreadshirt-rss-3d-cube-flash-gallery versión 2014 para WordPress, permite a atacantes remotos ejecutar script web o HTML arbitrario por medio de parámetros no especificados. Cross-site Scripting (XSS) in the spreadshirt-rss-3d-cube-flash-gallery plugin t... • http://codevigilant.com/disclosure/wp-plugin-spreadshirt-rss-3d-cube-flash-gallery-a3-cross-site-scripting-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2014-4529 – Flash Photo Gallery <= 0.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4529
25 Apr 2014 — Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Flash Photo Gallery plugin 0.7 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter. Vulnerabilidad de XSS en fpg_preview.php en el plugin Flash Photo Gallery 0.7 y anteriores para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro path. • http://codevigilant.com/disclosure/wp-plugin-flash-photo-gallery-a3-cross-site-scripting-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2012-4919 – WordPress Gallery Plugin <= 1.4 - Unauthenticated Remote File Inclusion
https://notcve.org/view.php?id=CVE-2012-4919
31 Jan 2013 — Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerability Gallery Plugin versión 1.4 para WordPress, presenta una Vulnerabilidad de Inclusión de Archivo Remota. The WordPress Gallery Plugin plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 1.4 via the 'load' parameter. This allows unauthenticated attackers to include remote files on the server, resulting in code execution. • http://www.securityfocus.com/bid/57650 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.8EPSS: 3%CPEs: 2EXPL: 1CVE-2012-6653 – All Video Gallery <= 1.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2012-6653
02 Nov 2012 — Unspecified vulnerability in the All Video Gallery (all-video-gallery) plugin before 1.2.0 for WordPress has unspecified impact and attack vectors. Vulnerabilidad no especificada en el plugin All Video Gallery (all-video-gallery) anterior a 1.2.0 para WordPress tiene un impacto y vectores de ataque no especificados. The All Video Gallery plugin for WordPress is vulnerable to blind SQL Injection via the ‘ vid’ and 'pid' parameters in versions up to, and including, 1.1 due to insufficient escaping on the user... • https://www.exploit-db.com/exploits/22427 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •