Vulnerabilities and security researches forgallery-photo-gallery gallery-photo-gallery
Direction: descendingDec 10, 2025
Photo Gallery by Ays – Responsive Image Gallery # CVE-2025-13685
- CVE, Research URL
- Date
- Dec 02, 2025
- Research Description
- The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
- Affected versions
-
max 6.4.9.
- Status
-
vulnerable
Oct 11, 2025
Photo Gallery by Ays – Responsive Image Gallery # CVE-2025-57947
- CVE, Research URL
- Date
- Sep 23, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Photo Gallery by Ays allows DOM-Based XSS. This issue affects Photo Gallery by Ays: from n/a through 6.3.6.
- Affected versions
-
max 6.3.7.
- Status
-
vulnerable
Jul 02, 2024
Photo Gallery by Ays – Responsive Image Gallery # CVE-2024-37442
- CVE, Research URL
- Date
- Jul 09, 2024
- Research Description
- Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Photo Gallery Team Photo Gallery by Ays allows Code Injection.This issue affects Photo Gallery by Ays: from n/a before 5.7.1.
- Affected versions
-
max 5.7.1.
- Status
-
vulnerable
Jun 07, 2024
Photo Gallery by Ays – Responsive Image Gallery # CVE-2021-24462
- CVE, Research URL
- Date
- Aug 02, 2021
- Research Description
- The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
- Affected versions
-
max 4.4.4.
- Status
-
vulnerable
Photo Gallery by Ays – Responsive Image Gallery # CVE-2016-10921
- CVE, Research URL
- Date
- Aug 22, 2019
- Research Description
- The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection.
- Affected versions
-
max 4.4.4.
- Status
-
vulnerable
Photo Gallery by Ays – Responsive Image Gallery # CVE-2023-2568
- CVE, Research URL
- Date
- Jun 12, 2023
- Research Description
- The Photo Gallery by Ays WordPress plugin before 5.1.7 does not escape some parameters before outputting it back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- Affected versions
-
max 5.1.7.
- Status
-
vulnerable
Photo Gallery by Ays – Responsive Image Gallery # CVE-2023-39917
- CVE, Research URL
- Date
- Oct 03, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.2.6 versions.
- Affected versions
-
max 5.2.7.
- Status
-
vulnerable
Photo Gallery by Ays – Responsive Image Gallery # CVE-2023-32107
- CVE, Research URL
- Date
- Aug 18, 2023
- Research Description
- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.1.3 versions.
- Affected versions
-
max 5.1.4.
- Status
-
vulnerable
Photo Gallery by Ays – Responsive Image Gallery # CVE-2024-29919
- CVE, Research URL
- Date
- Mar 27, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Photo Gallery Team Photo Gallery by Ays allows Reflected XSS.This issue affects Photo Gallery by Ays: from n/a through 5.5.2.
- Affected versions
-
max 5.5.3.
- Status
-
vulnerable