CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 0CVE-2024-4258 – Video Gallery – YouTube Playlist, Channel Gallery by YotuWP <= 1.3.13 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-4258
14 Jun 2024 — The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uplo... • https://plugins.trac.wordpress.org/browser/yotuwp-easy-youtube-embed/trunk/yotuwp.php#L731 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4551 – Video Gallery – YouTube Playlist, Channel Gallery by YotuWP <= 1.3.13 - Authenticated (Contributor+) Arbitrary File Inclusion via Shortcode
https://notcve.org/view.php?id=CVE-2024-4551
14 Jun 2024 — The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and execute arbitrary php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images an... • https://plugins.trac.wordpress.org/browser/yotuwp-easy-youtube-embed/trunk/inc/views.php#L828 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25477 – WordPress Video Gallery Plugin <= 1.3.12 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-25477
07 Jul 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yotuwp Video Gallery plugin <= 1.3.12 versions. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Autenticada Almacenada (admin+) en el plugin Yotuwp Video Gallery en las versiones anteriores e incluyendo a la v1.3.12. The Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticat... • https://patchstack.com/database/vulnerability/yotuwp-easy-youtube-embed/wordpress-video-gallery-youtube-playlist-channel-gallery-by-yotuwp-plugin-1-3-12-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35726 – WordPress Video Gallery plugin <= 1.3.4.5 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2022-35726
22 Aug 2022 — Broken Authentication vulnerability in yotuwp Video Gallery plugin <= 1.3.4.5 at WordPress. Una vulnerabilidad de Autenticación Rota en el plugin yotuwp Video Gallery versiones anteriores a 1.3.4.5 incluyéndola, en WordPress. The Video Gallery plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the deletecache function in versions up to, and including, 1.3.8. This makes it possible for unauthenticated attackers to clear the plugin's cache. The plugin added an "is_... • https://patchstack.com/database/vulnerability/yotuwp-easy-youtube-embed/wordpress-video-gallery-plugin-1-3-4-5-broken-authentication • CWE-287: Improper Authentication CWE-862: Missing Authorization •