CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48771 – WordPress File Gallery Plugin <= 1.8.5.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-48771
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruno "Aesqe" Babic File Gallery allows Reflected XSS.This issue affects File Gallery: from n/a through 1.8.5.4. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Bruno "Aesqe" Babic File Gallery permite Reflected XSS. Este problema afecta a File Gallery: desde n/a hasta 1.8.5.4. The File Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘post_id’ parameter in versions up to, and including, 1.8.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/file-gallery/wordpress-file-gallery-plugin-1-8-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 63EXPL: 1CVE-2014-2558 – File Gallery < 1.7.9.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-2558
The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function. El plugin File Gallery anterior a 1.7.9.2 para WordPress no escapa debidamente cadenas, lo que permite a administradores remotos ejecutar código PHP arbitrario a través de un \' (barra invertida comilla) en los campos de configuración hacia /wp-admin/options-media.php, relacionado con la función create_function. • http://seclists.org/fulldisclosure/2014/Apr/305 http://wordpress.org/plugins/file-gallery/changelog http://www.securityfocus.com/bid/67120 http://www.securityfocus.com/bid/67183 • CWE-94: Improper Control of Generation of Code ('Code Injection') •