Vulnerabilities and security researches forfoogallery foogallery
Direction: ascendingJun 07, 2024
Best WordPress Gallery Plugin – FooGallery # CVE-2023-29439
- CVE, Research URL
- Application
- Date
- May 16, 2023
- Research Description
- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.35 versions.
- Affected versions
-
max 2.2.41.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2023-44244
- CVE, Research URL
- Application
- Date
- Oct 02, 2023
- Research Description
- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.44 versions.
- Affected versions
-
max 2.3.2.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2019-20182
- CVE, Research URL
- Application
- Date
- Jan 10, 2020
- Research Description
- The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.
- Affected versions
-
max 1.8.18.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2021-24357
- CVE, Research URL
- Application
- Date
- Jun 14, 2021
- Research Description
- In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.
- Affected versions
-
max 2.0.35.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2024-2081
- CVE, Research URL
- Application
- Date
- Apr 10, 2024
- Research Description
- The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the foogallery_attachment_modal_save action in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.4.15.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2024-2762
- CVE, Research URL
- Application
- Date
- Jun 13, 2024
- Research Description
- The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
- Affected versions
-
max 2.4.15.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2024-2471
- CVE, Research URL
- Application
- Date
- Apr 06, 2024
- Research Description
- The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields (such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type') in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.4.15.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2024-0604
- CVE, Research URL
- Application
- Date
- Feb 29, 2024
- Research Description
- The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
- Affected versions
-
max 2.4.9.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2023-44233
- CVE, Research URL
- Application
- Date
- Oct 06, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in FooPlugins Best WordPress Gallery Plugin – FooGallery plugin <= 2.2.44 versions.
- Affected versions
-
max 2.3.2.
- Status
-
vulnerable
Jun 17, 2024
Best WordPress Gallery Plugin – FooGallery # CVE-2024-2122
- CVE, Research URL
- Application
- Date
- Jun 14, 2024
- Research Description
- The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.4.16.
- Status
-
vulnerable
Nov 15, 2024
Best WordPress Gallery Plugin – FooGallery # CVE-2022-4974
- CVE, Research URL
- Application
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 2.1.34.
- Status
-
vulnerable
Feb 28, 2025
Best WordPress Gallery Plugin – FooGallery # CVE-2025-22624
- CVE, Research URL
- Application
- Date
- Feb 28, 2025
- Research Description
- FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry and Carousel 2.4.29 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/extensions/albums/admin/class-meta boxes.php.
- Affected versions
-
max 2.4.30.
- Status
-
vulnerable
Mar 09, 2025
Best WordPress Gallery Plugin – FooGallery # CVE-2024-12119
- CVE, Research URL
- Application
- Date
- Mar 08, 2025
- Research Description
- The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the default_gallery_title_size parameter in all versions up to, and including, 2.4.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with granted gallery and album creator roles, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.4.30.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2024-12114
- CVE, Research URL
- Application
- Date
- Mar 08, 2025
- Research Description
- The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogallery_attachment_modal_save AJAX action due to missing validation on a user controlled key (img_id). This makes it possible for authenticated attackers, with granted access and above, to update arbitrary post and page content. This requires the Gallery Creator Role setting to be a value lower than 'Editor' for there to be any real impact.
- Affected versions
-
max 2.4.30.
- Status
-
vulnerable
Jul 12, 2025
Best WordPress Gallery Plugin – FooGallery # CVE-2025-6068
- CVE, Research URL
- Application
- Date
- Jul 11, 2025
- Research Description
- The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 2.4.32.
- Status
-
vulnerable
Mar 29, 2026
Best WordPress Gallery Plugin – FooGallery # CVE-2025-15524
- CVE, Research URL
- Application
- Date
- Feb 11, 2026
- Research Description
- The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve metadata (name, image count, thumbnail URL) of private, draft, and password-protected galleries by enumerating gallery IDs.
- Affected versions
-
max 3.1.10.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2026-25363
- CVE, Research URL
- Application
- Date
- Feb 19, 2026
- Research Description
- Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11.
- Affected versions
-
max 3.1.13.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2026-25362
- CVE, Research URL
- Application
- Date
- Feb 19, 2026
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FooPlugins FooGallery foogallery allows Stored XSS.This issue affects FooGallery: from n/a through <= 3.1.11.
- Affected versions
-
max 3.1.13.
- Status
-
vulnerable
May 01, 2026
Best WordPress Gallery Plugin – FooGallery # CVE-2024-13362
- CVE, Research URL
- Application
- Date
- May 01, 2026
- Research Description
- Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 2.4.29.
- Status
-
vulnerable
Jun 14, 2026
Best WordPress Gallery Plugin – FooGallery # CVE-2023-33999
- CVE, Research URL
- Application
- Date
- Jun 11, 2026
- Research Description
- Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
- Affected versions
-
max 2.2.44.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # CVE-2026-9134
- CVE, Research URL
- Application
- Date
- Jun 13, 2026
- Research Description
- The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.1.32.
- Status
-
vulnerable
Jun 16, 2026
Best WordPress Gallery Plugin – FooGallery # 129f6de65da3f2268f529ec0df45d674a2e00e48
- CVE, Research URL
- Application
- Date
- Feb 28, 2022
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 2.1.34 WordPress FooGallery plugin <= 2.1.33 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability discovered in WordPress FooGallery plugin (versions <= 2.1.33).
- Affected versions
-
max 2.1.34.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # df775ee0f1bb2c119ec4fc517003dbe6c643160a
- CVE, Research URL
- Application
- Date
- Aug 27, 2020
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 1.9.25 WordPress FooGallery plugin <= 1.9.24 - Authenticated Cross-Site Scripting (XSS) vulnerability Authenticated Cross-Site Scripting (XSS) vulnerability found by VishnuPriya Ilango (Fortinet FortiGuard Labs) in WordPress FooGallery plugin (versions <= 1.9.24).
- Affected versions
-
max 1.9.25.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # 7c7f0fd2436b9172882f5c43dc5f51636ce718b4
- CVE, Research URL
- Application
- Date
- Mar 02, 2019
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 1.6.17 WordPress FooGallery plugin <= 1.6.15 - Authenticated Option Update vulnerability (Fremius Library security issue) Authenticated Option Update vulnerability (Fremius Library security issue) found in WordPress FooGallery plugin (versions <= 1.6.15).
- Affected versions
-
max 1.6.17.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # 7e57cd4f4859826de00a8e2b09ee24fb7f2d824b
- CVE, Research URL
- Application
- Date
- Feb 25, 2019
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 1.6.17 Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update The Freemius SDK for WordPress is vulnerable to authorization bypass due to a missing capability check on the _get_db_option and _set_db_option functions in versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change site settings and potentially take over the site.
- Affected versions
-
max 1.6.17.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # fc5c87b5f224679c73e443f1fa5ff639d89c03b5
- CVE, Research URL
- Application
- Date
- Feb 28, 2022
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 2.1.34 WordPress FooGallery plugin <= 2.1.33 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress FooGallery plugin (versions <= 2.1.33).
- Affected versions
-
max 2.1.34.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # 6d8910c719b2a132ec93828cd37e418b19cac960
- CVE, Research URL
- Application
- Date
- Mar 04, 2022
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 2.1.34 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 2.1.34.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # 6dae6dca-7474-4008-9fe5-4c62b9f12d0a
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 2.1.34 Unauthorised AJAX Calls via Freemius The plugins and themes use an insecure version of the Freemius Framework, which is lacking CSRF and/or authorisation in some of its AJAX actions. As a result, any authenticated users, such as subscriber could access the debug logs. Unauthenticated attackers could also make a logged in admin toggle the debug mode via a CSRF attack.
- Affected versions
-
max 2.1.34.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # 6ff37c2e-e21d-4abc-bafe-8ca6a2c1ed76
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 1.6.17 Freemius Library < 2.2.4 - Subscriber+ Arbitrary Option Update The library, used in numerous plugins, does not have proper authorisation when updating blog options, allowing any authenticated users, such as subscriber to update arbitrary options
- Affected versions
-
max 1.6.17.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # a7b60e5306ff87b47b34a38b5df1649b0ec9bedc
- CVE, Research URL
- Application
- Date
- May 04, 2020
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 1.9.25 FooGallery <= 1.9.24 - Authenticated Cross-Site Scripting The FooGallery plugin for WordPress is vulnerable to Cross-Site Scripting via the image title and caption parameters in the gallery media upload editor in versions up to, and including, 1.9.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 1.9.25.
- Status
-
vulnerable
Best WordPress Gallery Plugin – FooGallery # 297228e3-729b-487c-8cf5-2fc7548ea840
- CVE, Research URL
- Application
- Date
- -
- Research Description
- Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel [foogallery] < 1.9.25 FooGallery < 1.9.25 - Authenticated Cross-Site Scripting (XSS) The FooGallery WordPress plugin was found to be vulnerable to Authenticated Cross-Site Scripting (XSS). "The vulnerability is caused by improper sanitization of user input in the image title or caption parameters in the gallery media upload editor. Thereby it can lead to an XSS in the default lightbox feature."
- Affected versions
-
max 1.9.25.
- Status
-
vulnerable