Tinywebgallery

tinywebgallery

23 CVEs • 3 products

Products (3)

Click to collapse

Toggle

Wordpress Flash Uploader

wordpress_flash_uploader

1 CVE

CVEs (23)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-53939 1Tinywebgallery 1Tinywebgallery Dec 24, 2025 Dec 18, 2025 5.1 MEDIUM· v4 5.4 MEDIUM· v3 N/A· v2 TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with scrip...Show more TinyWebGallery v2.5 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the folder name parameter. Attackers can edit album folder names with script tags to execute arbitrary JavaScript when other users view the affected gallery pages.Show less
CVE-2023-53922 1Tinywebgallery 1Tinywebgallery Dec 24, 2025 Dec 17, 2025 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded sys...Show more TinyWebGallery v2.5 contains a remote code execution vulnerability in the admin upload functionality that allows unauthenticated attackers to upload malicious PHP files. Attackers can upload .phar files with embedded system commands to execute arbitrary code on the server by accessing the uploaded file's URL.Show less
CVE-2025-1440 1Tinywebgallery 1Advanced Iframe Jul 14, 2025 Mar 26, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. T...Show more The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.Show less
CVE-2025-1439 1Tinywebgallery 1Advanced Iframe Jul 14, 2025 Mar 26, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and o...Show more The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2025-1437 1Tinywebgallery 1Advanced Iframe Apr 8, 2026 Mar 26, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.2 due to insufficient input sanitization and o...Show more The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 2024.5, and later improved in version 2025.3.Show less
CVE-2024-1341 1Tinywebgallery 1Advanced Iframe Apr 8, 2026 Feb 29, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS...Show more The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2024-24870 1Tinywebgallery 1Advanced Iframe Apr 28, 2026 Feb 5, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Dempfle Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.10.
CVE-2023-51690 1Tinywebgallery 1Advanced Iframe Apr 28, 2026 Feb 1, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.8.
CVE-2023-7069 1Tinywebgallery 1Advanced Iframe Apr 8, 2026 Feb 1, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and...Show more The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-24870 is likely a duplicate of this issue.Show less
CVE-2023-4775 1Tinywebgallery 1Advanced Iframe Apr 8, 2026 Nov 13, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'advanced_iframe' shortcode in versions up to, and including, 2023.8 due to insufficient input sanitization and output escapin...Show more The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'advanced_iframe' shortcode in versions up to, and including, 2023.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2023-51690 appears to be a potential duplicate of this issue.Show less
CVE-2021-24953 1Tinywebgallery 1Advanced Iframe Nov 21, 2024 Mar 7, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2013-2631 1Tinywebgallery 1Tinywebgallery Nov 21, 2024 Feb 3, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page imag...Show more TinyWebGallery (TWG) 1.8.9 and earlier contains a full path disclosure vulnerability which allows remote attackers to obtain sensitive information through the parameters "twg_browserx" and "twg_browsery" in the page image.php.Show less
CVE-2012-2931 1Tinywebgallery 1Tinywebgallery Nov 21, 2024 Jan 9, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file.
CVE-2014-5014 1Tinywebgallery 1Wordpress Flash Uploader Nov 21, 2024 Apr 25, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The WordPress Flash Uploader plugin before 3.1.3 for WordPress allows remote attackers to execute arbitrary commands via vectors related to invalid characters in image_magic_path.
CVE-2017-16635 1Tinywebgallery 1Tinywebgallery May 13, 2026 Nov 6, 2017 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject...Show more In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.Show less
CVE-2012-2932 1Tinywebgallery 1Tinywebgallery May 6, 2026 Apr 24, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch ac...Show more Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/index.php.Show less
CVE-2012-2930 1Tinywebgallery 1Tinywebgallery May 6, 2026 Apr 24, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php.Show less
CVE-2012-5347 1Tinywebgallery 1Tinywebgallery Apr 29, 2026 Oct 9, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 TinyWebGallery 1.8.3 allows remote attackers to execute arbitrary code via shell metacharacters in the command parameter to (1) inc/filefunctions.inc or (2) info.php.
CVE-2011-3810 1Tinywebgallery 1Tinywebgallery Apr 29, 2026 Sep 24, 2011 N/A· v4 N/A· v3 5.0 MEDIUM· v2 TinyWebGallery (TWG) 1.8.3 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by i_frames/i_register.php.
CVE-2009-1911 2Claudio Klingler Tinywebgallery 2Quixplorer Tinywebgallery Apr 23, 2026 Jun 4, 2009 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbi...Show more Directory traversal vulnerability in .include/init.php (aka admin/_include/init.php) in QuiXplorer 2.3.2 and earlier, as used in TinyWebGallery (TWG) 1.7.6 and earlier, allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the lang parameter to admin/index.php.Show less

12 Next