Vulnerabilities and security researches forsimply-gallery-block simply-gallery-block
Direction: ascendingJun 07, 2024
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2023-0441
- CVE, Research URL
- Date
- Mar 27, 2023
- Research Description
- The Gallery Blocks with Lightbox WordPress plugin before 3.0.8 has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user role.
- Affected versions
-
max 3.0.8.
- Status
-
vulnerable
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2021-24667
- CVE, Research URL
- Date
- Aug 30, 2021
- Research Description
- A stored cross-site scripting vulnerability has been discovered in : Simply Gallery Blocks with Lightbox (Version – 2.2.0 & below). The vulnerability exists in the Lightbox functionality where a user with low privileges is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of image parameters in meta data.
- Affected versions
-
max 2.2.1.
- Status
-
vulnerable
Jun 28, 2024
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2024-5424
- CVE, Research URL
- Date
- Jun 28, 2024
- Research Description
- The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘galleryID’ and 'className' parameters in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.2.2.
- Status
-
vulnerable
Nov 15, 2024
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2022-4974
- CVE, Research URL
- Date
- Oct 16, 2024
- Research Description
- The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 2.3.6.
- Status
-
vulnerable
Nov 24, 2024
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2024-10034
- CVE, Research URL
- Date
- Nov 22, 2024
- Research Description
- The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery link text parameter in all versions up to, and including, 3.2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.2.4.3.
- Status
-
vulnerable
Apr 06, 2025
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2025-32176
- CVE, Research URL
- Date
- Apr 04, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.2.5.
- Affected versions
-
max 3.2.6.
- Status
-
vulnerable
Jan 10, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2025-14288
- CVE, Research URL
- Date
- Dec 13, 2025
- Research Description
- The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.
- Affected versions
-
max 3.3.1.
- Status
-
vulnerable
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2025-63052
- CVE, Research URL
- Date
- Dec 09, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.1.
- Affected versions
-
max 3.3.2.2.
- Status
-
vulnerable
Apr 13, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2026-25345
- CVE, Research URL
- Date
- Mar 25, 2026
- Research Description
- Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
- Affected versions
-
max 3.3.2.1.
- Status
-
vulnerable
May 02, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2024-13362
- CVE, Research URL
- Date
- May 01, 2026
- Research Description
- Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
- Affected versions
-
max 3.2.4.5.
- Status
-
vulnerable
Jun 12, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2023-33999
- CVE, Research URL
- Date
- Jun 11, 2026
- Research Description
- Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
- Affected versions
-
max 3.1.5.
- Status
-
vulnerable
Jun 16, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # ef331ef097f79fe6437de5b3f13a599489a37a1a
- CVE, Research URL
- Date
- Feb 28, 2022
- Research Description
- Mixed Media Gallery Blocks [simply-gallery-block] < 2.3.6 WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin <= 2.3.5 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin (versions <= 2.3.5).
- Affected versions
-
max 2.3.6.
- Status
-
vulnerable
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # 6d8910c719b2a132ec93828cd37e418b19cac960
- CVE, Research URL
- Date
- Mar 04, 2022
- Research Description
- Mixed Media Gallery Blocks [simply-gallery-block] < 2.3.6 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
- Affected versions
-
max 2.3.6.
- Status
-
vulnerable
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # 955167da830d5cd3b5549c64c47314fc283cc682
- CVE, Research URL
- Date
- Mar 02, 2023
- Research Description
- Mixed Media Gallery Blocks [simply-gallery-block] < 3.0.8 WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery Plugin <= 3.0.7 is vulnerable to Broken Access Control Update the WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin to the latest available version (at least 3.0.8). WordFence discovered and reported this Broken Access Control vulnerability in WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery Plugin. This vulnerability has been fixed in version 3.0.8.
- Affected versions
-
max 3.0.8.
- Status
-
vulnerable
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # 914bc2f181bab91fd64a3f5c4f21a48f5b5b92de
- CVE, Research URL
- Date
- Mar 01, 2023
- Research Description
- Mixed Media Gallery Blocks [simply-gallery-block] < 3.0.8 Gallery Blocks with Lightbox <= 3.0.7 - Missing Authorization in pgc_sgb_action_wizard The Gallery Blocks with Lightbox plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the pgc_sgb_action_wizard function called via an AJAX action in versions up to, and including, 3.0.7. This makes it possible for authenticated attackers with subscriber-level access to retrieve and edit post data and metadata, update and retrieve arbitrary options, retrieve post listings, as well as taxonomy terms and post content.
- Affected versions
-
max 3.0.8.
- Status
-
vulnerable
Jul 12, 2026
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2026-5743
- CVE, Research URL
- Date
- Jul 11, 2026
- Research Description
- The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the pgc_sgb_render_callback() function. The vulnerability exists because the pgc_sgb_sanitize_custom_css() function uses a flawed regex pattern that only removes event handlers with quoted values (e.g., onfocus="alert()") but fails to catch unquoted event handlers (e.g., onfocus=alert(document.cookie)), allowing the malicious code to bypass sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via block attributes that will execute whenever a user accesses an injected page.
- Affected versions
-
max 3.3.3.2.
- Status
-
vulnerable