Photo Gallery
by WordPress
CVEs (16)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-0221 | Cri | 0.59 | 9.1 | 0.01 | Feb 5, 2024 | The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the… | ||
| CVE-2019-16119 | 0.06 | — | 0.34 | Sep 8, 2019 | SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter. | |||
| CVE-2019-16117 | 0.03 | — | 0.02 | Sep 8, 2019 | Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php. | |||
| CVE-2019-16118 | 0.03 | — | 0.03 | Sep 8, 2019 | Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php. | |||
| CVE-2010-2336 | 0.03 | — | 0.02 | Jun 18, 2010 | index.php in Yamamah Photo Gallery 1.00 allows remote attackers to obtain the source code of executable files within the web document root via the download parameter. | |||
| CVE-2010-2335 | 0.03 | — | 0.00 | Jun 18, 2010 | SQL injection vulnerability in index.php in Yamamah Photo Gallery 1.00, as distributed before 20100618, allows remote attackers to execute arbitrary SQL commands via the news parameter. | |||
| CVE-2010-2334 | 0.03 | — | 0.02 | Jun 18, 2010 | Directory traversal vulnerability in themes/default/download.php in Yamamah Photo Gallery 1.00, as distributed before 20100618, allows remote attackers to read arbitrary files via a .. (dot dot) in the download parameter. | |||
| CVE-2006-6937 | 0.03 | — | 0.02 | Jan 17, 2007 | SQL injection vulnerability in displaypic.asp in Xtreme ASP Photo Gallery allows remote attackers to inject arbitrary SQL commands via the sortorder parameter. | |||
| CVE-2021-31693 | 0.00 | — | 0.00 | Nov 29, 2022 | The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMware information, previously… | |||
| CVE-2015-1394 | 0.00 | — | 0.00 | Feb 8, 2020 | Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6)… | |||
| CVE-2015-9380 | 0.00 | — | 0.00 | Aug 30, 2019 | The photo-gallery plugin before 1.2.42 for WordPress has CSRF. | |||
| CVE-2016-10921 | 0.00 | — | 0.01 | Aug 22, 2019 | The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection. | |||
| CVE-2019-14798 | 0.00 | — | 0.01 | Aug 9, 2019 | The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter. | |||
| CVE-2019-14313 | 0.00 | — | 0.04 | Jul 30, 2019 | A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php. | |||
| CVE-2015-2324 | 0.00 | — | 0.00 | Feb 19, 2018 | Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2015-1055 | 0.00 | — | 0.01 | Jan 16, 2015 | SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. |
- risk 0.59cvss 9.1epss 0.01
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.8.19 via the rename_item function. This makes it possible for authenticated attackers to rename arbitrary files on the…
- CVE-2019-16119Sep 8, 2019risk 0.06cvss —epss 0.34
SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Albumsgalleries.php album_id parameter.
- CVE-2019-16117Sep 8, 2019risk 0.03cvss —epss 0.02
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/models/Galleries.php.
- CVE-2019-16118Sep 8, 2019risk 0.03cvss —epss 0.03
Cross site scripting (XSS) in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via admin/controllers/Options.php.
- CVE-2010-2336Jun 18, 2010risk 0.03cvss —epss 0.02
index.php in Yamamah Photo Gallery 1.00 allows remote attackers to obtain the source code of executable files within the web document root via the download parameter.
- CVE-2010-2335Jun 18, 2010risk 0.03cvss —epss 0.00
SQL injection vulnerability in index.php in Yamamah Photo Gallery 1.00, as distributed before 20100618, allows remote attackers to execute arbitrary SQL commands via the news parameter.
- CVE-2010-2334Jun 18, 2010risk 0.03cvss —epss 0.02
Directory traversal vulnerability in themes/default/download.php in Yamamah Photo Gallery 1.00, as distributed before 20100618, allows remote attackers to read arbitrary files via a .. (dot dot) in the download parameter.
- CVE-2006-6937Jan 17, 2007risk 0.03cvss —epss 0.02
SQL injection vulnerability in displaypic.asp in Xtreme ASP Photo Gallery allows remote attackers to inject arbitrary SQL commands via the sortorder parameter.
- CVE-2021-31693Nov 29, 2022risk 0.00cvss —epss 0.00
The 10Web Photo Gallery plugin through 1.5.68 for WordPress allows XSS via album_gallery_id_0, bwg_album_search_0, and type_0 for bwg_frontend_data. NOTE: other parameters are covered by CVE-2021-24291, CVE-2021-25041, and CVE-2021-46889. NOTE: VMware information, previously…
- CVE-2015-1394Feb 8, 2020risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in the Photo Gallery plugin before 1.2.11 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) sort_by, (2) sort_order, (3) items_view, (4) dir, (5) clipboard_task, (6)…
- CVE-2015-9380Aug 30, 2019risk 0.00cvss —epss 0.00
The photo-gallery plugin before 1.2.42 for WordPress has CSRF.
- CVE-2016-10921Aug 22, 2019risk 0.00cvss —epss 0.01
The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection.
- CVE-2019-14798Aug 9, 2019risk 0.00cvss —epss 0.01
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter.
- CVE-2019-14313Jul 30, 2019risk 0.00cvss —epss 0.04
A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/model.php.
- CVE-2015-2324Feb 19, 2018risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2015-1055Jan 16, 2015risk 0.00cvss —epss 0.01
SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.