VYPR

Photo Gallery By 10web

by WordPress

CVEs (35)

  • CVE-2022-0169CriMar 14, 2022
    risk 0.73cvss 9.8epss 0.75

    The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an…

  • CVE-2019-16119CriSep 8, 2019
    risk 0.69cvss 9.8epss 0.25

    SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.

  • CVE-2019-14313CriJul 30, 2019
    risk 0.64cvss 9.8epss 0.04

    A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php.

  • CVE-2026-49771HigJun 4, 2026
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41.

  • CVE-2024-32583HigApr 18, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Reflected XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.21.

  • CVE-2026-7048MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.01

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of…

  • CVE-2021-24291MedMay 14, 2021
    risk 0.41cvss 6.1epss 0.14

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both…

  • CVE-2025-2269MedApr 12, 2025
    risk 0.40cvss 6.1epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘image_id’ parameter in all versions up to, and including, 1.8.34 due to insufficient input sanitization and output escaping. This makes…

  • CVE-2025-0613MedMar 31, 2025
    risk 0.40cvss 6.1epss 0.00

    The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

  • CVE-2021-46889MedJun 7, 2023
    risk 0.40cvss 6.1epss 0.01

    The 10Web Photo Gallery plugin through 1.5.69 for WordPress allows XSS via theme_id for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-31693.

  • CVE-2021-31693MedNov 29, 2022
    risk 0.40cvss 6.1epss 0.00

    The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMware information, previously…

  • CVE-2022-1282MedMay 2, 2022
    risk 0.40cvss 6.1epss 0.01

    The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action.

  • CVE-2021-25041MedDec 6, 2021
    risk 0.40cvss 6.1epss 0.01

    The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action

  • CVE-2021-24362MedAug 16, 2021
    risk 0.40cvss 6.1epss 0.01

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing…

  • CVE-2024-44043MedOct 6, 2024
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.27.

  • CVE-2024-5481MedJun 7, 2024
    risk 0.37cvss 6.8epss 0.01

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of…

  • CVE-2026-9829MedJun 6, 2026
    risk 0.35cvss 6.5epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter…

  • CVE-2024-5426MedJun 7, 2024
    risk 0.35cvss 6.4epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it…

  • CVE-2022-4058MedDec 19, 2022
    risk 0.35cvss 5.4epss 0.00

    The Photo Gallery by 10Web WordPress plugin before 1.8.3 does not validate and escape some parameters before outputting them back in in JS code later on in another page, which could lead to Stored XSS issue when an attacker makes a logged in admin open a malicious URL or page…

  • CVE-2019-14797MedAug 9, 2019
    risk 0.35cvss 5.4epss 0.01

    The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.

Page 1 of 2