Total
25 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-4165 | 1 Contest-gallery | 1 Contest Gallery | 2024-02-28 | N/A | 6.5 MEDIUM |
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the cg_order POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | |||||
CVE-2022-4150 | 1 Contest-gallery | 1 Contest Gallery | 2024-02-28 | N/A | 6.5 MEDIUM |
The Contest Gallery WordPress plugin before 19.1.5.1, Contest Gallery Pro WordPress plugin before 19.1.5.1 do not escape the option_id POST parameter before concatenating it to an SQL query in order-custom-fields-with-and-without-search.php. This may allow malicious users with at least author privilege to leak sensitive information from the site's database. | |||||
CVE-2022-36394 | 1 Contest-gallery | 1 Contest Gallery | 2024-02-28 | N/A | 8.8 HIGH |
Authenticated (author+) SQL Injection (SQLi) vulnerability in Contest Gallery plugin <= 17.0.4 at WordPress. | |||||
CVE-2022-27853 | 1 Contest-gallery | 1 Contest Gallery | 2024-02-28 | 3.5 LOW | 4.8 MEDIUM |
Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) in Contest Gallery (WordPress plugin) <= 13.1.0.9 | |||||
CVE-2019-5974 | 1 Contest-gallery | 1 Contest Gallery | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors. |