Vulnerabilities and security researches forenvira-gallery-lite envira-gallery-lite
Direction: ascendingJun 07, 2024
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2023-6742
- CVE, Research URL
- Date
- Jan 11, 2024
- Research Description
- The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This makes it possible for authenticated attackers, with contributor access and above, to modify galleries on other users' posts.
- Affected versions
-
max 1.8.7.3.
- Status
-
vulnerable
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2021-24126
- CVE, Research URL
- Date
- Mar 18, 2021
- Research Description
- Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation.
- Affected versions
-
max 1.8.3.3.
- Status
-
vulnerable
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2022-2190
- CVE, Research URL
- Date
- Oct 31, 2022
- Research Description
- The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
- Affected versions
-
max 1.8.4.7.
- Status
-
vulnerable
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2020-9334
- CVE, Research URL
- Date
- Feb 25, 2020
- Research Description
- A stored XSS vulnerability exists in the Envira Photo Gallery plugin through 1.7.6 for WordPress. Successful exploitation of this vulnerability would allow a authenticated low-privileged user to inject arbitrary JavaScript code that is viewed by other users.
- Affected versions
-
max 1.7.7.
- Status
-
vulnerable
Jun 24, 2024
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2024-37095
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.7.3.
- Affected versions
-
max 1.8.8.
- Status
-
vulnerable
Aug 29, 2024
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2024-43925
- CVE, Research URL
- Date
- Nov 01, 2024
- Research Description
- Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.14.
- Affected versions
-
max 1.8.15.
- Status
-
vulnerable
Sep 12, 2024
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2024-3899
- CVE, Research URL
- Date
- Sep 11, 2024
- Research Description
- The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.
- Affected versions
-
max 1.8.15.
- Status
-
vulnerable
Dec 05, 2024
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2024-5020
- CVE, Research URL
- Date
- Dec 04, 2024
- Research Description
- Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.8.16.
- Status
-
vulnerable
Dec 10, 2025
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2025-12377
- CVE, Research URL
- Date
- Nov 13, 2025
- Research Description
- The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0.
- Affected versions
-
max 1.12.1.
- Status
-
vulnerable
Gallery Plugin for WordPress – Envira Photo Gallery # CVE-2025-11448
- CVE, Research URL
- Date
- Nov 08, 2025
- Research Description
- The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/envira-convert/v1/bulk-convert' REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries.
- Affected versions
-
max 1.12.0.
- Status
-
vulnerable