cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-13583,https://securityvulnerability.io/vulnerability/CVE-2024-13583,Stored Cross-Site Scripting in Simple Gallery with Filter Plugin for WordPress,"The Simple Gallery with Filter plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping. The vulnerability exists in the plugin's 'c2tw_sgwf' shortcode, allowing authenticated users with contributor-level permissions and above to inject malicious scripts into pages. This leads to the potential execution of arbitrary web scripts when a user accesses the compromised page, posing risks to both site integrity and user security.",Wordpress,Simple Gallery With Filter,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-24T09:21:51.358Z,0
CVE-2024-13584,https://securityvulnerability.io/vulnerability/CVE-2024-13584,Stored Cross-Site Scripting in Picture Gallery Plugin for WordPress,"The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability due to inadequate input sanitization and output escaping associated with the 'videowhisper_pictures' shortcode. This vulnerability enables authenticated attackers, specifically those with contributor-level access or higher, to inject arbitrary scripts into web pages. These scripts can execute whenever users view the compromised pages, posing significant risks to user data and site integrity.",Wordpress,"Picture Gallery – Frontend Image Uploads, Ajax Photo List",5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-22T03:21:31.223Z,0
CVE-2024-12696,https://securityvulnerability.io/vulnerability/CVE-2024-12696,Stored Cross-Site Scripting in Picture Gallery Plugin for WordPress,"The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress presents a vulnerability that allows authenticated attackers with contributor-level access or higher to exploit the videowhisper_picture_upload_guest shortcode. This vulnerability arises from inadequate input sanitization and output escaping of user-supplied attributes, leading to stored Cross-Site Scripting. When a user accesses a compromised page, arbitrary web scripts can execute, posing a significant risk to site security and user safety.",Wordpress,"Picture Gallery – Frontend Image Uploads, Ajax Photo List",6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-18T07:05:10.013Z,0
CVE-2025-23842,https://securityvulnerability.io/vulnerability/CVE-2025-23842,Cross-Site Request Forgery Vulnerability in Nilesh Shiragave WordPress Gallery Plugin,"A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Gallery Plugin by Nilesh Shiragave. This flaw could allow an attacker to trick users into executing unwanted actions on a web application where they are authenticated, potentially leading to unauthorized content manipulation or data exposure. The affected versions range from an unspecified release before version 1.4, necessitating immediate attention to mitigate any security risks associated with this vulnerability.",Wordpress,WordPress Gallery Plugin,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-16T20:07:21.537Z,0
CVE-2024-12403,https://securityvulnerability.io/vulnerability/CVE-2024-12403,Reflected Cross-Site Scripting in Image Gallery Plugin for WordPress,"The Image Gallery – Responsive Photo Gallery plugin for WordPress is susceptible to Reflected Cross-Site Scripting (XSS) vulnerabilities due to inadequate input sanitization and output escaping in the 'awsmgallery' parameter. This flaw allows attackers to craft malicious scripts that can be executed by users when tricked into clicking on a compromised link, leading to potential unauthorized actions and data exposure. This affects all versions through 1.0.5, highlighting the importance of updating and maintaining secure coding practices.",Wordpress,Awesome Responsive Photo Gallery – Image & Video Lightbox Gallery,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-15T09:25:55.266Z,0
CVE-2024-12853,https://securityvulnerability.io/vulnerability/CVE-2024-12853,Arbitrary File Upload Vulnerability in Modula Image Gallery Plugin for WordPress,"The Modula Image Gallery plugin for WordPress contains a serious vulnerability due to inadequate file type validation in its zip upload feature. This issue affects all versions up to and including 2.11.10, allowing authenticated users with Author-level access and above to upload potentially malicious files to the server. Such capability may lead to remote code execution, compromising site integrity and security.",Wordpress,Modula Image Gallery,8.8,HIGH,0.0005000000237487257,false,,false,false,false,false,false,false,2025-01-08T09:18:36.690Z,0
CVE-2024-12624,https://securityvulnerability.io/vulnerability/CVE-2024-12624,Stored Cross-Site Scripting in Sina Extension for Elementor Plugin by WordPress,"The Sina Extension for Elementor plugin for WordPress has a vulnerability that permits stored Cross-Site Scripting (XSS) attacks through the Sina Image Differ widget. This flaw arises from inadequate input sanitization and output escaping on attributes supplied by users. As a result, authenticated attackers with contributor-level access or above can insert malicious web scripts into pages. These scripts execute whenever any user visits the affected page, potentially compromising user data and website integrity.",Wordpress,"Sina Extension For Elementor (slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates)",6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-07T06:40:56.716Z,0
CVE-2024-10102,https://securityvulnerability.io/vulnerability/CVE-2024-10102,Stored Cross-Site Scripting in Rbs Image Gallery Plugin for WordPress,"The Rbs Image Gallery plugin for WordPress, specifically versions prior to 3.2.22, lacks proper sanitization and escaping of certain Gallery settings. This oversight opens the door for high-privilege users, such as contributors, to carry out Stored Cross-Site Scripting (XSS) attacks. Successful exploitation could lead to the injection of malicious scripts, potentially compromising the security of the website and its users.",Wordpress,"Photo Gallery, Images, Slider In Rbs Image Gallery",,,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-07T06:00:02.472Z,0
CVE-2024-12590,https://securityvulnerability.io/vulnerability/CVE-2024-12590,Stored Cross-Site Scripting Vulnerability in WP Youtube Gallery Plugin for WordPress,"The WP Youtube Gallery plugin for WordPress is exposed to a Stored Cross-Site Scripting vulnerability through the 'id' parameter in all versions up to and including 1.9. This flaw arises from inadequate input sanitization and output escaping, allowing authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts. Such scripts may be executed by users when they access affected pages, posing significant risks to user data and overall site integrity.",Wordpress,WP Youtube Gallery,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-07T03:21:52.546Z,0
CVE-2024-12096,https://securityvulnerability.io/vulnerability/CVE-2024-12096,Reflected Cross-Site Scripting Vulnerability in Exhibit to WP Gallery WordPress Plugin,"The Exhibit to WP Gallery WordPress plugin, up to version 0.0.2, contains a vulnerability that allows for reflected cross-site scripting (XSS) attacks. This issue arises from the lack of proper sanitization and escaping of a specific parameter before it is rendered on the web page. Attackers could exploit this weakness to inject malicious scripts, posing a significant risk, especially to users with elevated privileges, such as administrators. Administrators unaware of this vulnerability may inadvertently expose their sites to unauthorized actions or data theft. To mitigate risks, it's recommended to update the plugin and implement security best practices for WordPress.",Wordpress,Exhibit To WP Gallery,,,0.0004299999854993075,false,,false,false,true,true,false,false,2024-12-24T06:00:08.517Z,0
CVE-2024-11900,https://securityvulnerability.io/vulnerability/CVE-2024-11900,Stored Cross-Site Scripting Vulnerability in Portfolio – Filterable Masonry Portfolio Gallery Plugin for WordPress,"CVE-2024-11900 highlights a security vulnerability within the Portfolio – Filterable Masonry Portfolio Gallery for Professionals plugin for WordPress. This vulnerability allows authenticated attackers, with contributor-level access or higher, to exploit stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping on attributes supplied by users. The vulnerability affects all versions up to and including 1.2.2 of the plugin. By injecting malicious web scripts into pages, attackers can compromise the integrity of web content and potentially execute harmful scripts whenever users access affected pages.",Wordpress,Portfolio – Filterable Masonry Portfolio Gallery For Professionals,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-17T00:15:00.000Z,0
CVE-2024-12162,https://securityvulnerability.io/vulnerability/CVE-2024-12162,Ultimate Member Video & Photo Gallery Plugin Vulnerable to Reflected XSS,"The Video & Photo Gallery for Ultimate Member plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Video & Photo Gallery For Ultimate Member,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-12-12T04:23:14.349Z,0
CVE-2024-11501,https://securityvulnerability.io/vulnerability/CVE-2024-11501,Gallery Plugin Vulnerable to PHP Object Injection,"The Gallery plugin for WordPress exposes a vulnerability to PHP Object Injection across all versions up to and including 1.3. This vulnerability arises from the deserialization of untrusted input from the wd_gallery_$id parameter, enabling authenticated attackers with Contributor-level privileges or higher to inject PHP objects into the application. While no known PHP Object Protocol chain exists within the vulnerable plugin itself, the presence of such a chain through additional plugins or themes could potentially empower an attacker to delete arbitrary files, access sensitive data, or execute malicious code, heightening the overall security risks for affected WordPress sites.",Wordpress,Gallery,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,false,false,2024-12-07T11:09:53.288Z,0
CVE-2024-11823,https://securityvulnerability.io/vulnerability/CVE-2024-11823,Stored Cross-Site Scripting Vulnerability in Folder Gallery Plugin,"The Folder Gallery plugin for WordPress is susceptible to a Stored Cross-Site Scripting vulnerability through the 'foldergallery' shortcode. This flaw arises from insufficient input sanitization and output escaping on attributes provided by users. As a result, authenticated attackers, including those with contributor-level permissions and higher, can inject malicious web scripts into pages. These scripts will be executed automatically whenever users access an affected page, potentially compromising user data and site integrity.",Wordpress,Folder Gallery,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-12-06T08:24:57.031Z,0
CVE-2024-10247,https://securityvulnerability.io/vulnerability/CVE-2024-10247,Time-Based SQL Injection Vulnerability in The Video Gallery Plugin,"The Video Gallery – Best WordPress YouTube Gallery Plugin, used extensively for showcasing YouTube content on WordPress sites, is susceptible to a time-based SQL injection vulnerability. This issue arises from insufficient escaping of user-supplied parameters and flawed preparation of SQL queries. Authenticated attackers with Administrator-level access can exploit this vulnerability to inject additional SQL queries into existing queries. This manipulation could potentially enable these attackers to extract sensitive information stored within the database, posing significant risks to the integrity of user data and application security.",Wordpress,Video Gallery – Youtube Gallery And Vimeo Gallery,7.2,HIGH,0.0008099999977275729,false,,false,false,false,,false,false,2024-12-06T03:25:39.169Z,0
CVE-2024-9769,https://securityvulnerability.io/vulnerability/CVE-2024-9769,Stored Cross-Site Scripting Vulnerability Affects The Video Gallery Plugin,"The Video Gallery – Best WordPress YouTube Gallery plugin for WordPress contains a vulnerability that enables Stored Cross-Site Scripting (XSS) due to inadequate input sanitization and output escaping. Authenticated attackers with administrator-level permissions can exploit this flaw to inject arbitrary web scripts into pages. This issue primarily affects installations with multi-site configurations and those where the unfiltered_html option is disabled, allowing malicious scripts to execute whenever a user accesses the compromised pages.",Wordpress,Video Gallery – Youtube Gallery And Vimeo Gallery,4.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-12-06T03:25:38.678Z,0
CVE-2024-11453,https://securityvulnerability.io/vulnerability/CVE-2024-11453,Stored Cross-Site Scripting Vulnerability in WordPress Pinterest Plugin,"The WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_pin_widget' shortcode in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"WordPress Pinterest Plugin – Make A Popup, User Profile, Masonry And Gallery Layout",6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-12-03T07:34:54.323Z,0
CVE-2024-53788,https://securityvulnerability.io/vulnerability/CVE-2024-53788,Stored XSS Vulnerability in Portfoliohub Portfolio Builder - Portfolio Gallery,Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portfoliohub WordPress Portfolio Builder – Portfolio Gallery allows Stored XSS.This issue affects WordPress Portfolio Builder – Portfolio Gallery: from n/a through 1.1.7.,Wordpress,WordPress Portfolio Builder – Portfolio Gallery,5.9,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-11-30T21:05:23.534Z,0
CVE-2024-10704,https://securityvulnerability.io/vulnerability/CVE-2024-10704,Stored Cross-Site Scripting Vulnerability in Photo Gallery by 10Web Plugin,"The Photo Gallery by 10Web WordPress plugin, prior to version 1.8.31, contains a critical stored cross-site scripting (XSS) vulnerability. This flaw originates from the plugin's failure to properly sanitize and escape certain settings, enabling high-privilege users, such as administrators, to execute harmful scripts. Importantly, this vulnerability may be exploited even in environments where the unfiltered_html capability is restricted, such as multisite configurations. As a result, this presents a significant risk for WordPress sites utilizing this plugin, highlighting the necessity for prompt updating and vigilant security practices.",Wordpress,Photo Gallery By 10web,,,0.0004299999854993075,false,,false,false,true,true,false,false,2024-11-29T06:00:07.129Z,0
CVE-2024-11103,https://securityvulnerability.io/vulnerability/CVE-2024-11103,Unauthenticated Attacker Can Privilege Escalate via Account Takeover,"The Contest Gallery plugin for WordPress contains a vulnerability that allows an attacker to escalate privileges through unauthorized access to user accounts. This is primarily caused by the plugin's failure to adequately validate a user's identity when processing password updates. As a result, unauthenticated attackers can exploit this flaw to reset passwords for any user, including administrative accounts, thus gaining access to sensitive functionalities and data within the WordPress environment. Users of versions 24.0.7 and earlier are strongly advised to update to the latest version to mitigate this risk.",Wordpress,"Photos, Files, Youtube, Twitter, Instagram, Tiktok, Ecommerce Contest Gallery – Upload, Vote, Sell Via Paypal, Social Share Buttons",9.8,CRITICAL,0.0006300000241026282,false,,false,false,false,,false,false,2024-11-28T09:47:09.248Z,0
CVE-2024-11119,https://securityvulnerability.io/vulnerability/CVE-2024-11119,Arbitrary Web Script Injection Vulnerability in Gallery Extended Plugin,"The BNE Gallery Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Bne Gallery Extended,6.4,MEDIUM,0.0006799999973736703,false,,false,false,false,,false,false,2024-11-26T08:31:53.929Z,0
CVE-2024-11002,https://securityvulnerability.io/vulnerability/CVE-2024-11002,Arbitrary Shortcode Execution Vulnerability in InPost Gallery Plugin,"The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.",Wordpress,Inpost Gallery,6.3,MEDIUM,0.0006799999973736703,false,,false,false,false,,false,false,2024-11-26T06:43:44.633Z,0
CVE-2024-10034,https://securityvulnerability.io/vulnerability/CVE-2024-10034,Stored Cross-Site Scripting Vulnerability in Gallery Blocks with Lightbox,"The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery link text parameter in all versions up to, and including, 3.2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Gallery Blocks With Lightbox. Image Gallery, (html5 Video , Youtube, Vimeo) Video Gallery And Lightbox For Native Gallery",5.5,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-11-22T05:33:41.576Z,0
CVE-2024-11601,https://securityvulnerability.io/vulnerability/CVE-2024-11601,Cross-Site Request Forgery Vulnerability in Sky Addons for Elementor,"The Sky Addons for Elementor plugin for WordPress is prone to a Cross-Site Request Forgery vulnerability affecting all versions up to and including 2.6.1. This flaw arises from inadequate nonce validation within the save_options() function, which could allow an unauthenticated attacker to change arbitrary option values on a WordPress site through a malicious request. The attacker must trick a site administrator into clicking a link, thus enabling the execution of unauthorized actions. The vulnerability specifically impacts option values that can be saved as arrays.",Wordpress,"Sky Addons For Elementor (free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)",8.1,HIGH,0.000539999979082495,false,,false,false,false,,false,false,2024-11-22T05:33:41.092Z,0
CVE-2024-11104,https://securityvulnerability.io/vulnerability/CVE-2024-11104,Unauthorized Modification of Data Leads to Denial of Service in Sky Addons for Elementor,"The Sky Addons for Elementor plugin offers a range of features for enhancing WordPress sites, but it presents a security weakness that allows for unauthorized data modifications. This vulnerability stems from a lack of capability checks in the save_options() function, affecting all versions up to 2.6.2. Authenticated attackers, even those with subscriber-level access, can exploit this flaw to alter arbitrary options that can be saved as arrays. This leads to potential denial of service for the affected WordPress installations, compromising their functionality and security.",Wordpress,"Sky Addons For Elementor (free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)",8.1,HIGH,0.0006600000197067857,false,,false,false,false,,false,false,2024-11-22T05:33:40.055Z,0