cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forsimply-gallery-block simply-gallery-block

Direction: ascending
Jun 07, 2024

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2023-0441

CVE, Research URL

CVE-2023-0441

Date
Mar 27, 2023
Research Description
The Gallery Blocks with Lightbox WordPress plugin before 3.0.8 has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user role.
Affected versions
max 3.0.8.
Status
vulnerable

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2021-24667

CVE, Research URL

CVE-2021-24667

Date
Aug 30, 2021
Research Description
A stored cross-site scripting vulnerability has been discovered in : Simply Gallery Blocks with Lightbox (Version – 2.2.0 & below). The vulnerability exists in the Lightbox functionality where a user with low privileges is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of image parameters in meta data.
Affected versions
max 2.2.1.
Status
vulnerable
Jun 28, 2024

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2024-5424

CVE, Research URL

CVE-2024-5424

Date
Jun 28, 2024
Research Description
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘galleryID’ and 'className' parameters in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.2.2.
Status
vulnerable
Nov 15, 2024

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2022-4974

CVE, Research URL

CVE-2022-4974

Date
Oct 16, 2024
Research Description
The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 2.3.6.
Status
vulnerable
Nov 24, 2024

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2024-10034

CVE, Research URL

CVE-2024-10034

Date
Nov 22, 2024
Research Description
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery link text parameter in all versions up to, and including, 3.2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.2.4.3.
Status
vulnerable
Apr 06, 2025

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2025-32176

CVE, Research URL

CVE-2025-32176

Date
Apr 04, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.2.5.
Affected versions
max 3.2.6.
Status
vulnerable
Jan 10, 2026

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2025-14288

CVE, Research URL

CVE-2025-14288

Date
Dec 13, 2025
Research Description
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`.
Affected versions
max 3.3.1.
Status
vulnerable

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2025-63052

CVE, Research URL

CVE-2025-63052

Date
Dec 09, 2025
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.1.
Affected versions
max 3.3.2.2.
Status
vulnerable
Apr 13, 2026

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2026-25345

CVE, Research URL

CVE-2026-25345

Date
Mar 25, 2026
Research Description
Improper Validation of Specified Quantity in Input vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.
Affected versions
max 3.3.2.1.
Status
vulnerable
May 02, 2026

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2024-13362

CVE, Research URL

CVE-2024-13362

Date
May 01, 2026
Research Description
Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 3.2.4.5.
Status
vulnerable
Jun 12, 2026

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2023-33999

CVE, Research URL

CVE-2023-33999

Date
Jun 11, 2026
Research Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
Affected versions
max 3.1.5.
Status
vulnerable
Jun 16, 2026

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # ef331ef097f79fe6437de5b3f13a599489a37a1a

Date
Feb 28, 2022
Research Description
Mixed Media Gallery Blocks [simply-gallery-block] < 2.3.6 WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin <= 2.3.5 - Sensitive Information Disclosure vulnerability Sensitive Information Disclosure vulnerability discovered in WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin (versions <= 2.3.5).
Affected versions
max 2.3.6.
Status
vulnerable

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # 6d8910c719b2a132ec93828cd37e418b19cac960

Date
Mar 04, 2022
Research Description
Mixed Media Gallery Blocks [simply-gallery-block] < 2.3.6 Freemius SDK <= 2.4.2 - Missing Authorization Checks The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions
max 2.3.6.
Status
vulnerable

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # 955167da830d5cd3b5549c64c47314fc283cc682

Date
Mar 02, 2023
Research Description
Mixed Media Gallery Blocks [simply-gallery-block] < 3.0.8 WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery Plugin <= 3.0.7 is vulnerable to Broken Access Control Update the WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin to the latest available version (at least 3.0.8). WordFence discovered and reported this Broken Access Control vulnerability in WordPress Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery Plugin. This vulnerability has been fixed in version 3.0.8.
Affected versions
max 3.0.8.
Status
vulnerable

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # 914bc2f181bab91fd64a3f5c4f21a48f5b5b92de

Date
Mar 01, 2023
Research Description
Mixed Media Gallery Blocks [simply-gallery-block] < 3.0.8 Gallery Blocks with Lightbox <= 3.0.7 - Missing Authorization in pgc_sgb_action_wizard The Gallery Blocks with Lightbox plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the pgc_sgb_action_wizard function called via an AJAX action in versions up to, and including, 3.0.7. This makes it possible for authenticated attackers with subscriber-level access to retrieve and edit post data and metadata, update and retrieve arbitrary options, retrieve post listings, as well as taxonomy terms and post content.
Affected versions
max 3.0.8.
Status
vulnerable
Jul 12, 2026

Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery # CVE-2026-5743

CVE, Research URL

CVE-2026-5743

Date
Jul 11, 2026
Research Description
The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the pgc_sgb_render_callback() function. The vulnerability exists because the pgc_sgb_sanitize_custom_css() function uses a flawed regex pattern that only removes event handlers with quoted values (e.g., onfocus="alert()") but fails to catch unquoted event handlers (e.g., onfocus=alert(document.cookie)), allowing the malicious code to bypass sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via block attributes that will execute whenever a user accesses an injected page.
Affected versions
max 3.3.3.2.
Status
vulnerable