Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total13
Critical2
High1
Medium10
Reset
Showing 1-13 of 13 records
Threat Entry Updated 2026-04-15

CVE-2026-1254 - Video Gallery Plugin

The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.

PLUGIN Video Gallery

CVE-2026-1254

MEDIUM CVSS 4.3 2026-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-14003 - Video Gallery Plugin

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `add_images_to_gallery_callback()` function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with Author-level access and above, to add images to arbitrary Modula galleries owned by other users.

PLUGIN Video Gallery

CVE-2025-14003

MEDIUM CVSS 4.3 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13891 - Video Gallery Plugin

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.

PLUGIN Video Gallery

CVE-2025-13891

MEDIUM CVSS 6.5 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-11-18

CVE-2025-12494 - Video Gallery Plugin

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server.

PLUGIN Video Gallery

CVE-2025-12494

MEDIUM CVSS 4.3 2025-11-15
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-9769 - Video Gallery Plugin

The Video Gallery – Best WordPress YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Video Gallery

CVE-2024-9769

MEDIUM CVSS 4.4 2024-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-10247 - Video Gallery Plugin

The Video Gallery – Best WordPress YouTube Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Video Gallery

CVE-2024-10247

HIGH CVSS 7.2 2024-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4258 - Video Gallery Plugin

The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Video Gallery

CVE-2024-4258

CRITICAL CVSS 9.8 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4551 - Video Gallery Plugin

The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and execute arbitrary php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded…

PLUGIN Video Gallery

CVE-2024-4551

MEDIUM CVSS 6.4 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-3268 - Video Gallery Plugin

The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages.

PLUGIN Video Gallery

CVE-2024-3268

MEDIUM CVSS 5.3 2024-05-21
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-45069 - Video Gallery Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Video Gallery by Total-Soft Video Gallery – Best WordPress YouTube Gallery Plugin allows SQL Injection.This issue affects Video Gallery – Best WordPress YouTube Gallery Plugin: from n/a through 2.1.3.

PLUGIN Video Gallery

CVE-2023-45069

CRITICAL CVSS 9.8 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2708 - Video Gallery Plugin

The Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘search_term’ parameter in versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Video Gallery

CVE-2023-2708

MEDIUM CVSS 6.1 2023-05-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24515 - Video Gallery Plugin

The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues

PLUGIN Video Gallery

CVE-2021-24515

MEDIUM CVSS 4.8 2021-10-25
Open Full Technical Breakdown
Scroll to top