Vulnerabilities > 10Web
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-17 | CVE-2023-1427 | Path Traversal vulnerability in 10Web Photo Gallery - The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector. | 4.9 |
| 2023-03-13 | CVE-2023-0037 | SQL Injection vulnerability in 10Web MAP Builder for Google Maps The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection | 9.8 |
| 2023-01-23 | CVE-2022-4758 | Cross-site Scripting vulnerability in 10Web MAP Builder for Google Maps The 10WebMapBuilder WordPress plugin before 1.0.72 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | 5.4 |
| 2022-10-25 | CVE-2022-3300 | SQL Injection vulnerability in 10Web Form Maker The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | 7.2 |
| 2022-06-08 | CVE-2022-1394 | Cross-site Scripting vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web WordPress plugin before 1.6.4 does not properly validate and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed | 3.5 |
| 2022-05-30 | CVE-2022-1564 | Cross-site Scripting vulnerability in 10Web Form Maker The Form Maker by 10Web WordPress plugin before 1.14.12 does not sanitize and escape the Custom Text settings, which could allow high privilege user such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
| 2022-05-23 | CVE-2022-1320 | Cross-site Scripting vulnerability in 10Web Sliderby10Web The Sliderby10Web WordPress plugin before 1.2.52 does not properly sanitize and escape some of its settings, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 3.5 |
| 2022-05-02 | CVE-2022-1281 | SQL Injection vulnerability in 10Web Photo Gallery The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $_POST['filter_tag'] parameter, which is appended to an SQL query, making SQL Injection attacks possible. | 7.5 |
| 2022-05-02 | CVE-2022-1282 | Cross-site Scripting vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not properly sanitize the $_GET['image_url'] variable, which is reflected back to the users when executing the editimage_bwg AJAX action. | 4.3 |
| 2022-03-14 | CVE-2022-0169 | SQL Injection vulnerability in 10Web Photo Gallery The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before using it in a SQL statement via the bwg_frontend_data AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL injection | 7.5 |