VYPR

Photogallery

by WordPress

Source repositories

CVEs (41)

  • CVE-2024-5481MedJun 7, 2024
    risk 0.37cvss 6.8epss 0.01

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of…

  • CVE-2024-2296MedApr 6, 2024
    risk 0.36cvss 5.5epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.8.21 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2026-9829MedJun 6, 2026
    risk 0.35cvss 6.5epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter…

  • CVE-2024-5426MedJun 7, 2024
    risk 0.35cvss 6.4epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘svg’ parameter in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it…

  • CVE-2024-29833MedMar 26, 2024
    risk 0.35cvss 5.4epss 0.00

    The image upload component allows SVG files and the regular expression used to remove script tags can be bypassed by using a Cross Site Scripting payload which does not match the regular expression; one example of this is the inclusion of whitespace within the script tag. An…

  • CVE-2024-29810MedMar 26, 2024
    risk 0.35cvss 5.4epss 0.00

    The thumb_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumb_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted…

  • CVE-2024-29809MedMar 26, 2024
    risk 0.35cvss 5.4epss 0.00

    The image_url parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_url parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted…

  • CVE-2024-29808MedMar 26, 2024
    risk 0.35cvss 5.4epss 0.00

    The image_id parameter of the AJAX call to the editimage_bwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the image_id parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted…

  • CVE-2015-2324MedFeb 19, 2018
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2026-1036MedJan 22, 2026
    risk 0.34cvss 5.3epss 0.00

    The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for…

  • CVE-2024-33586MedApr 29, 2024
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.20.

  • CVE-2023-1427MedApr 17, 2023
    risk 0.32cvss 4.9epss 0.01

    - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.

  • CVE-2024-8670MedMay 15, 2025
    risk 0.31cvss 4.8epss 0.00

    The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example…

  • CVE-2023-33995MedDec 13, 2024
    risk 0.28cvss 4.3epss 0.01

    Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Gallery by 10Web: from n/a through 1.8.15.

  • CVE-2015-1394MedFeb 8, 2020
    risk 0.28cvss 5.4epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6)…

  • CVE-2024-13124LowMar 24, 2025
    risk 0.23cvss 3.5epss 0.00

    The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example…

  • CVE-2025-13685MedDec 2, 2025
    risk 0.21cvss 4.3epss 0.00

    The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for…

  • CVE-2006-6937Jan 17, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in displaypic.asp in Xtreme ASP Photo Gallery allows remote attackers to inject arbitrary SQL commands via the sortorder parameter.

  • CVE-2015-1393Feb 2, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/admin.php.

  • CVE-2015-1055Jan 16, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.