Vulnerabilities and security researches for wp-photo-album-plus

CVE: CVE-2013-3254
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Cross-site scripting (XSS) vulnerability in wp-admin/admin.php in the WP Photo Album Plus plugin before 5.0.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the commentid parameter in a wppa_manage_comments edit action.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2021-25115
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2015-3647
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Multiple cross-site scripting (XSS) vulnerabilities in wppa-ajax-front.php in the WP Photo Album Plus (aka WPPA) plugin before 6.1.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) comemail or (2) comname parameter in a wppa do-comment action.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2023-49813
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Stored XSS.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2023-49774
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2024-4037
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2024-31286
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before 8.6.03.005.
Status: vulnerable

VeryHigh
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2024-31377
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.7.01.001.
Status: vulnerable

VeryHigh
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2023-49812
Application: WP Photo Album Plus
Date: Jun 07, 2024, 07:06:15
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a through 8.5.02.005.
Status: vulnerable

High
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2014-8814
Application: WP Photo Album Plus
Date: Jun 10, 2024, 12:06:27
Research Description: The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘walbum’ parameter in versions up to, and including, 5.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Status: vulnerable

Medium
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2008-0939
Application: WP Photo Album Plus
Date: Jun 10, 2024, 12:06:28
Research Description: Multiple SQL injection vulnerabilities in wppa.php in the WP Photo Album (WPPA) before 1.1 plugin for WordPress allow remote attackers to execute arbitrary SQL commands via (1) the photo parameter to index.php, used by the wppa_photo_name function; or (2) the album parameter to index.php, used by the wppa_album_name function. NOTE: some of these details are obtained from third party information.
Status: vulnerable

VeryHigh
Actual on: Jul 05, 2024, 11:07:25

CVE: CVE-2024-37416
Application: WP Photo Album Plus
Date: Jul 02, 2024, 17:07:07
Research Description: WP Photo Album Plus [wp-photo-album-plus] < 8.8.00.003 CVE-2024-37416
Status: vulnerable

Unknown
Actual on: Jul 05, 2024, 11:07:25