CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9416 – Modula Image Gallery <= 2.10.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox 5 JavaScript Library
https://notcve.org/view.php?id=CVE-2024-9416
02 Apr 2025 — The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/changeset/3160235/modula-best-grid-gallery • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12853 – Modula Image Gallery <= 2.11.10 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-12853
07 Jan 2025 — The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3218127%40modula-best-grid-gallery&new=3218127%40modula-best-grid-gallery&sfp_email=&sfph_mail= • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-9003 – Modula Image Gallery <= 2.2.4 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2020-9003
19 Feb 2020 — A stored XSS vulnerability exists in the Modula Image Gallery plugin before 2.2.5 for WordPress. Successful exploitation of this vulnerability would allow an authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users. Se presenta una vulnerabilidad de tipo XSS almacenado en el plugin Modula Image Gallery versiones anteriores a 2.2.5 para WordPress. Una explotación con éxito de esta vulnerabilidad permitiría a un usuario poco privilegiado autenticado inyectar código J... • https://fortiguard.com/zeroday/FG-VD-20-041 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •