Add beautiful, fully responsive galleries, albums, images, and categories to your WordPress website quickly and easily. Showcase your portfolio, photo …
Gallery by BestWebSoft är ett populärt WordPress-tillägg som låter dig enkelt skapa och hantera bildgallerier, album och portfolios på din webbplats. Trots sina användbara funktioner för att visa bilder på ett professionellt sätt, har tillägget en omfattande säkerhetshistorik som kräver uppmärksamhet.
Tillägget har totalt 38 dokumenterade sårbarheter, vilket är ett betydande antal. Fördelningen visar 3 kritiska, 8 höga, 23 medelsvåra och 4 låga sårbarheter. De kritiska och höga sårbarheterna kan potentiellt ge obehöriga personer tillgång till din webbplats eller möjlighet att manipulera innehåll.
Den senaste kända sårbarheten rapporterades 2019-08-09, vilket tyder på att utvecklarna har arbetat aktivt med säkerhetsförbättringar under senare år. Med 10 000 aktiva installationer får tillägget också kontinuerlig granskning från WordPress-communityn.
Om du använder detta tillägg, säkerställ att du kör den senaste versionen och övervaka regelbundet för uppdateringar. Överväg att implementera extra säkerhetsåtgärder som brandvägg och säkerhetskopiering. Regelbundna uppdateringar är alltid det bästa skyddet mot kända sårbarheter.
Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.
Påverkade versioner: <= 4.7.3
Påverkade versioner: < 1.5.25
The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authenticated Local File Inclusion via directory traversal in the wp-admin/admin-ajax.php?action=shortcode_bwg tagtext parameter.
Påverkade versioner: < 1.5.23
The 10Web Photo Gallery plugin before 1.5.23 for WordPress has authenticated stored XSS.
Påverkade versioner: < 1.5.31
A SQL injection vulnerability exists in the 10Web Photo Gallery plugin before 1.5.31 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system via filemanager/m...
Påverkade versioner: all
XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-slides&method=save Slide[title], Slide[media_file], or Slide[image_url] parameter.
Påverkade versioner: all
SQL Injection exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] or Gallery[title] parameter.
Påverkade versioner: all
XSS exists in the Tribulant Slideshow Gallery plugin 1.6.8 for WordPress via the wp-admin/admin.php?page=slideshow-galleries&method=save Gallery[id] or Gallery[title] parameter.
Påverkade versioner: all
The wpape APE GALLERY plugin 1.6.14 for WordPress has stored XSS via the classGallery.php getCategories function.
Påverkade versioner: < 1.6.6.1
The Tribulant Slideshow Gallery plugin before 1.6.6.1 for WordPress has XSS via the id, method, Gallerymessage, Galleryerror, or Galleryupdated parameter.
Påverkade versioner: < 2.1.57
The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 does not properly validate user input in the cssfile parameter of a HTTP POST request, which may allow an authenticated user to read arbitrary files from the server, or execute...
Påverkade versioner: <= 2.2.46
In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery paths are not secured.
Påverkade versioner: < 1.2.13
Cross-site scripting (XSS) vulnerability in the filemanager in the Photo Gallery plugin before 1.2.13 for WordPress allows remote authenticated users with edit permission to inject arbitrary web script or HTML via unspecified vectors.
Påverkade versioner: <= 1.2.0
SQL injection vulnerability in the Responsive Image Gallery plugin before 1.2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "id" parameter in an add_edit_theme task in the wpdevart_gallery_themes page to wp-admin/a...
Påverkade versioner: all
In the nggallery-manage-gallery page in the Photocrati NextGEN Gallery plugin 2.1.15 for WordPress, XSS is possible for remote authenticated administrators via the images[1][alttext] parameter.
Påverkade versioner: all
In post-new.php in the Photocrati NextGEN Gallery plugin 2.1.10 for WordPress, unrestricted file upload is available via the name parameter, if a file extension is changed from .jpg to .php.
Påverkade versioner: all
upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to create arbitrary directories via vectors related to the targetDir variable.
Påverkade versioner: all
lib/core.php in the Cool Video Gallery plugin 1.9 for WordPress allows remote attackers to execute arbitrary code via shell metacharacters in the "Width of preview image" and possibly other input fields in the "Video Gallery Settings" page.
Påverkade versioner: all
Unrestricted file upload vulnerability in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the f...
Påverkade versioner: all
Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name parameter.
Påverkade versioner: <= 3.1.3
Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via...
Påverkade versioner: <= 1.2.9
SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create gallery request in the galleries_bwg page to wp-admin/ad...
Påverkade versioner: all
SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.
Påverkade versioner: all
Multiple cross-site request forgery (CSRF) vulnerabilities in the Lightbox Photo Gallery plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vecto...
Påverkade versioner: all
Multiple cross-site scripting (XSS) vulnerabilities in deploy/designer/preview.php in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) swfloc or (2) designrand...
Påverkade versioner: all
Multiple cross-site scripting (XSS) vulnerabilities in the Web-Dorado Photo Gallery plugin 1.1.30 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) callback, (2) dir, or (3) extensions parameter in an...
Påverkade versioner: all
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/ad...
Påverkade versioner: <= 1.4.6
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-...
Påverkade versioner: all
SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page t...
Påverkade versioner: <= 1.1.0
Unspecified vulnerability in the All Video Gallery (all-video-gallery) plugin before 1.2.0 for WordPress has unspecified impact and attack vectors.
Påverkade versioner: <= 0.7
Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Flash Photo Gallery plugin 0.7 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter.
Påverkade versioner: all
Multiple cross-site scripting (XSS) vulnerabilities in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the logoLink parameter to (1) preview.swf, (2) preview_skin_roug...
Påverkade versioner: <= 1.9.17
Cross-site scripting (XSS) vulnerability in admin/manage-images.php in the NextCellent Gallery plugin before 1.19.18 for WordPress allows remote authenticated users with the NextGEN Upload images, NextGEN Manage gallery, or NextGEN Manage others gall...
Påverkade versioner: <= 1.7.9
The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the cr...
Påverkade versioner: <= 1.1.20
Cross-site scripting (XSS) vulnerability in the Lazyest Gallery plugin before 1.1.21 for WordPress allows remote attackers to inject arbitrary web script or HTML via an EXIF tag. NOTE: some of these details are obtained from third party information.
Påverkade versioner: all
Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter.
Påverkade versioner: all
Unrestricted file upload vulnerability in uploader.php in the RBX Gallery plugin 2.1 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file...
Påverkade versioner: all
Cross-site scripting (XSS) vulnerability in vodpod-video-gallery/vodpod_gallery_thumbs.php in the Vodpod Video Gallery Plugin 3.1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gid parameter.
Påverkade versioner: <= 1.5.1
Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter.
Påverkade versioner: <= 0.2.2
Directory traversal vulnerability in getConfig.php in the Page Flip Image Gallery plugin 0.2.2 and earlier for WordPress, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the book_id parameter....
Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.
De flesta sårbarheter i Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.
Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.
Med löpande övervakning upptäcker du problem innan de blir allvarliga.
Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.
Kör ett gratis test och se hur din sajt presterar inom SEO, säkerhet, prestanda och tillgänglighet — på under en minut.
Testa gratisInget konto krävs