Gallery Plugin
by WordPress
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-4060 | Cri | 0.67 | 9.8 | 0.43 | Jan 16, 2023 | The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. | ||
| CVE-2012-4919 | Cri | 0.64 | 9.8 | 0.03 | Jan 22, 2020 | Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerability | ||
| CVE-2023-3154 | Hig | 0.49 | 7.5 | 0.01 | Oct 16, 2023 | The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server. | ||
| CVE-2023-3155 | Hig | 0.47 | 7.2 | 0.01 | Oct 16, 2023 | The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server. | ||
| CVE-2025-23842 | Hig | 0.46 | 7.1 | 0.00 | Jan 16, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in Nilesh Shiragave WordPress Gallery Plugin wordpress-gallery-plugin allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin: from n/a through <= 1.4. | ||
| CVE-2024-13906 | Hig | 0.40 | 7.2 | 0.01 | Mar 7, 2025 | The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via deserialization of untrusted input in the 'import_gallery_from_csv' function. This makes… | ||
| CVE-2022-2190 | Med | 0.40 | 6.1 | 0.01 | Oct 31, 2022 | The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | ||
| CVE-2023-3279 | Med | 0.32 | 4.9 | 0.01 | Oct 16, 2023 | The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks | ||
| CVE-2024-3899 | Med | 0.31 | 4.8 | 0.00 | Sep 11, 2024 | The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks. | ||
| CVE-2024-3582 | Med | 0.31 | 4.8 | 0.00 | May 14, 2024 | The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | ||
| CVE-2022-4142 | Med | 0.31 | 4.8 | 0.00 | Jan 2, 2023 | The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the… | ||
| CVE-2021-24903 | Med | 0.31 | 4.8 | 0.01 | Feb 28, 2022 | The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed. |
- risk 0.67cvss 9.8epss 0.43
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.
- risk 0.64cvss 9.8epss 0.03
Gallery Plugin1.4 for WordPress has a Remote File Include Vulnerability
- risk 0.49cvss 7.5epss 0.01
The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.
- risk 0.47cvss 7.2epss 0.01
The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.
- risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Nilesh Shiragave WordPress Gallery Plugin wordpress-gallery-plugin allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin: from n/a through <= 1.4.
- risk 0.40cvss 7.2epss 0.01
The Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.7.3 via deserialization of untrusted input in the 'import_gallery_from_csv' function. This makes…
- risk 0.40cvss 6.1epss 0.01
The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
- risk 0.32cvss 4.9epss 0.01
The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks
- risk 0.31cvss 4.8epss 0.00
The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.
- risk 0.31cvss 4.8epss 0.00
The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
- risk 0.31cvss 4.8epss 0.00
The WordPress Filter Gallery Plugin WordPress plugin before 0.1.6 does not properly escape the filters passed in the ufg_gallery_filters ajax action before outputting them on the page, allowing a high privileged user such as an administrator to inject HTML or javascript to the…
- risk 0.31cvss 4.8epss 0.01
The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.