Filtered by vendor Contest-gallery
Subscriptions
Filtered by product Contest Gallery
Subscriptions
Total
25 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-4155 | 1 Contest-gallery | 1 Contest Gallery | 2024-08-03 | 4.9 Medium |
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the wp_user_id GET parameter before concatenating it to an SQL query in management-show-user.php. This may allow malicious users with administrator privileges (i.e. on multisite WordPress configurations) to leak sensitive information from the site's database. | ||||
CVE-2022-4153 | 1 Contest-gallery | 1 Contest Gallery | 2024-08-03 | 6.5 Medium |
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the upload[] POST parameter before concatenating it to an SQL query in get-data-create-upload-v10.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | ||||
CVE-2022-4151 | 1 Contest-gallery | 1 Contest Gallery | 2024-08-03 | 6.5 Medium |
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id GET parameter before concatenating it to an SQL query in export-images-data.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | ||||
CVE-2023-28784 | 1 Contest-gallery | 1 Contest Gallery | 2024-08-02 | 7.1 High |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Contest Gallery plugin <= 21.1.2 versions. | ||||
CVE-2023-5307 | 1 Contest-gallery | 1 Contest Gallery | 2024-08-02 | 6.1 Medium |
The Photos and Files Contest Gallery WordPress plugin before 21.2.8.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks via certain headers. |