CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37246 – WordPress Gallery Slideshow plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37246
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Jethin Gallery Slideshow allows Stored XSS.This issue affects Gallery Slideshow: from n/a through 1.4.1. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Jethin Gallery Slideshow permite XSS almacenado. Este problema afecta a Gallery Slideshow: desde n/a hasta 1.4.1. The Gallery Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/gallery-slideshow/wordpress-gallery-slideshow-plugin-1-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41876 – WordPress WP Gallery Metabox Plugin <= 1.0.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-41876
Cross-Site Request Forgery (CSRF) vulnerability in Hardik Kalathiya WP Gallery Metabox plugin <= 1.0.0 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Hardik Kalathiya WP Gallery Metabox en versiones <= 1.0.0. The WP Gallery Metabox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the gallery_metabox() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wp-gallery-metabox/wordpress-wp-gallery-metabox-plugin-1-0-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 2CVE-2023-37152
https://notcve.org/view.php?id=CVE-2023-37152
Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Note: This has been disputed as not a valid vulnerability. • https://github.com/Trinity-SYT-SECURITY/arbitrary-file-upload-RCE/blob/main/Online%20Art%20gallery%20project%201.0.md https://www.chtsecurity.com/news/ad3cee07-3e35-45c0-97f9-811cce13dda9 https://www.chtsecurity.com/news/afe25fb4-55ac-45d9-9ece-cbc1edda2fb2%20 https://www.exploit-db.com/exploits/51524 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2561 – Gallery Metabox <= 1.5 - Missing Authorization via gallery_remove
https://notcve.org/view.php?id=CVE-2023-2561
The Gallery Metabox for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gallery_remove function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to modify galleries attached to posts and pages with this plugin. • https://plugins.trac.wordpress.org/browser/gallery-metabox/trunk/gallery-metabox.php?rev=611664#L233 https://www.wordfence.com/threat-intel/vulnerabilities/id/faad339f-96d6-4937-a1f3-9d2d19bc6395?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2562 – Gallery Metabox <= 1.5 - Missing Authorization via refresh_metabox
https://notcve.org/view.php?id=CVE-2023-2562
The Gallery Metabox for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the refresh_metabox function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to obtain a list of images attached to a post. • https://plugins.trac.wordpress.org/browser/gallery-metabox/trunk/gallery-metabox.php?rev=611664#L203 https://www.wordfence.com/threat-intel/vulnerabilities/id/951e4651-56d6-474d-84b3-5a7cfc357b9f?source=cve • CWE-862: Missing Authorization •