CyberSec.Space Logo
Back to CVE Browser

CVE-2021-24362

MEDIUM
6.1
CVSS Severity Score
EPSS Score0.0190%
EPSS Percentile38.23th
PublishedAug 16, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue

Affected Platforms (CPE)

πŸ“¦
10web

Photo Gallery

< 1.5.75

References & Advisories

πŸ”— https://wpscan.com/vulnerability/57823dcb-2149-47f7-aae2-d9f04dce851a
πŸ”— https://wpscan.com/vulnerability/57823dcb-2149-47f7-aae2-d9f04dce851a

Related Vulnerabilities

CVE-2007-141410.0

Multiple PHP remote file inclusion vulnerabilities in Coppermine Photo Gallery (CPG) allow remote attackers to execute arbitrary P...

CVE-2007-491610.0

Heap-based buffer overflow in the FileFind::FindFile method in (1) MFC42.dll, (2) MFC42u.dll, (3) MFC71.dll, and (4) MFC71u.dll in...

CVE-2003-152510.0

Unspecified vulnerability in My Photo Gallery 3.5, and possibly earlier versions, has unknown impact and attack vectors.

CVE-2019-161199.8

SQL injection in the photo-gallery (10Web Photo Gallery) plugin before 1.5.35 for WordPress exists via the admin/controllers/Album...