CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1564 – Form Maker By 10Web < 1.14.12 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1564
The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Form Maker by 10Web de WordPress versiones anteriores a 1.14.12, no sanea ni escapa de la configuración del Texto Personalizado, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando unfiltered_html no está permitido • https://wpscan.com/vulnerability/a487c7e7-667c-4c92-a427-c43cc13b348d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1320 – Sliderby10Web < 1.2.52 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1320
The Sliderby10Web WordPress plugin before 1.2.52 does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed El plugin Sliderby10Web de WordPress versiones anteriores a 1.2.52 no sanea ni escapa correctamente de algunos de sus parámetros, lo que podría permitir a los usuarios con altos privilegios, como los administradores, llevar a cabo ataques de Cross-Site Scripting incluso cuando unfiltered_html no está permitido • https://wpscan.com/vulnerability/43581d6b-333a-48d9-a1ae-b9479da8ff87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1281 – Photo Gallery < 1.6.3 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-1281
The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible. El plugin Photo Gallery de WordPress versiones hasta 1.6.3, no escapa apropiadamente del parámetro $_POST["filter_tag"], que es anexado a una consulta SQL, haciendo posible ataques de inyección SQL • https://plugins.trac.wordpress.org/changeset/2706797/photo-gallery/trunk/frontend/models/BWGModelGalleryBox.php?old=2587758&old_path=photo-gallery%2Ftrunk%2Ffrontend%2Fmodels%2FBWGModelGalleryBox.php https://wpscan.com/vulnerability/2b4866f2-f511-41c6-8135-cf1e0263d8de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1282 – Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1282
The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action. El plugin Photo Gallery by 10Web de WordPress versiones anteriores a 1.6.3, no sanea apropiadamente la variable $_GET["image_url"], que es reflejada en usuarios cuando es ejecutada la acción AJAX editimage_bwg • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2706798%40photo-gallery&old=2694928%40photo-gallery&sfp_email=&sfph_mail= https://wpscan.com/vulnerability/37a58f4e-d2bc-4825-8e1b-4aaf0a1cf1b6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-0169 – Photo Gallery by 10Web < 1.6.0 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2022-0169
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection El plugin Photo Gallery by 10Web de WordPress versiones anteriores a 1.6.0, no comprueba ni escapa del parámetro bwg_tag_id_bwg_thumbnails_0 antes de usarlo en una sentencia SQL por medio de la acción AJAX bwg_frontend_data (disponible para usuarios autenticados y no autenticados), conllevando a una inyección SQL no autenticada • https://plugins.trac.wordpress.org/changeset/2672822/photo-gallery#file9 https://wpscan.com/vulnerability/0b4d870f-eab8-4544-91f8-9c5f0538709c • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •