10web
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any 10web product.
RSS Feeds for 10web security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in 10web products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by 10web Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 16 vulnerabilities in 10web with an average score of 6.4 out of ten. Last year, in 2025 10web had 17 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in 10web in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.08
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 16 | 6.44 |
| 2025 | 17 | 6.52 |
| 2024 | 40 | 5.77 |
| 2023 | 17 | 6.41 |
| 2022 | 11 | 6.34 |
| 2021 | 8 | 6.50 |
| 2020 | 1 | 0.00 |
| 2019 | 8 | 8.12 |
It may take a day or so for new 10web vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent 10web Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-11776 | Jun 18, 2026 |
WordPress Form Maker <=1.15.43 SQLi via groupids (authenticated admin)The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'groupids' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. |
Form Maker
|
| CVE-2026-11777 | Jun 18, 2026 |
SQLi Vulnerability in Form Maker <=1.15.43 via 'name' ParamThe Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. |
Form Maker
|
| CVE-2026-39502 | Jun 15, 2026 |
Unauthenticated SQLi in 10Web Form Maker <=1.15.38Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. |
Form Maker
|
| CVE-2026-9829 | Jun 06, 2026 |
WordPress 10Web Photo Gallery <=1.8.41 Time-Based SQLi via compact_album_order_byThe Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode. |
Photo Gallery
|
| CVE-2026-49771 | Jun 04, 2026 |
10Web Photo Gallery <=1.8.41 Blind SQLi VulnerabilityImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41. |
Photo Gallery
|
| CVE-2026-7048 | May 28, 2026 |
Photo Gallery by 10Web: SQL Injection via order_by up to 1.8.40The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered. |
Photo Gallery
|
| CVE-2018-25346 | May 23, 2026 |
WordPress Form Maker Plugin <=1.12.24 SQLi via FormMakerSQLMapping ActionWordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database. |
Form Maker
|
| CVE-2026-3359 | May 05, 2026 |
SQLi via 'inputs' param in 10Web Form Maker <=1.15.42The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. |
Form Maker
|
| CVE-2026-3330 | Apr 17, 2026 |
SQL Injection in The Form Maker WP Plugin v1.15.40 via unsanitized paramsThe Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ip_search', 'startdate', 'enddate', 'username_search', and 'useremail_search' parameters in all versions up to, and including, 1.15.40. This is due to the `WDW_FM_Library::validate_data()` method calling `stripslashes()` on user input (removing WordPress's `wp_magic_quotes()` protection) and the `FMModelSubmissions_fm::get_labels_parameters()` function directly concatenating user-supplied values into SQL queries without using `$wpdb->prepare()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Additionally, the Submissions controller skips nonce verification for the `display` task, which means this vulnerability can be triggered via CSRF by tricking an administrator into clicking a crafted link. |
Form Maker
|
| CVE-2026-4388 | Apr 14, 2026 |
Form Maker by 10Web WP Plugin <=1.15.40 Stored XSS via Matrix Field (Text Box)The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details. |
Form Maker
|
| CVE-2025-15441 | Apr 13, 2026 |
SQL Injection via MySQL Mapping in Form Maker by 10Web (<1.15.38)The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when the "MySQL Mapping" feature is in use, which could make SQL Injection attacks possible in certain contexts. |
Form Maker
|
| CVE-2026-32330 | Mar 13, 2026 |
10Web Photo Gallery <=1.8.37 CSRF VulnerabilityCross-Site Request Forgery (CSRF) vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Cross Site Request Forgery.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37. |
Photo Gallery
|
| CVE-2026-27360 | Feb 19, 2026 |
10Web Photo Gallery <=1.8.37 Stored XSSImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.38. |
Photo Gallery
|
| CVE-2026-1058 | Feb 03, 2026 |
Stored XSS in Form Maker 1.15.35 via hidden fieldsThe Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list. |
Form Maker
|
| CVE-2026-1065 | Feb 03, 2026 |
Form Maker wp plugin stored XSS via SVG upload 1.15.35The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. |
Form Maker
|
| CVE-2026-1036 | Jan 21, 2026 |
Unauth Delete via delete_comment() in 10Web Photo Gallery 1.8.36The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. |
Photo Gallery
|
| CVE-2025-13377 | Dec 06, 2025 |
10Web Booster 2.32.7: Arbitrary Folder Deletion via get_cache_dir()The 10Web Booster Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition. |
|
| CVE-2020-36853 | Oct 18, 2025 |
10WebMapBuilder 1.0.63: Stored XSS via Settings ChangeThe 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2025-48341 | May 19, 2025 |
10Web Form Maker: Stored XSS in 10W Form Maker up to 1.15.33 (CVE-2025-48341)Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Maker by 10Web allows Stored XSS. This issue affects Form Maker by 10Web: from n/a through 1.15.33. |
Form Maker
|
| CVE-2024-13053 | May 15, 2025 |
10Web Form Maker XSS before 1.15.33The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Form Maker
|
| CVE-2024-8670 | May 15, 2025 |
Photo Gallery by 10Web WP plugin <1.8.29: Stored XSS via unsanitized settingsThe Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Photo Gallery
|
| CVE-2024-10680 | Apr 16, 2025 |
Form Maker 10Web WP Plugin <1.15.32: Stored XSS via unsanitised settingsThe Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Form Maker
|
| CVE-2025-2269 | Apr 12, 2025 |
XSS via image_id in Photo Gallery by 10Web WP plugin up to 1.8.34The Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the image_id parameter in all versions up to, and including, 1.8.34 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. |
Photo Gallery
|
| CVE-2025-0613 | Mar 31, 2025 |
10Web Photo Gallery WP Plugin XSS before 1.8.34 Unauthenticated Stored-XSSThe Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed |
Photo Gallery
|
| CVE-2024-10560 | Mar 25, 2025 |
WP 10Web Form Maker <1.15.30 Unsanitised Settings XSSThe Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Form Maker
|
| CVE-2024-10565 | Mar 25, 2025 |
Stored XSS in 10Web Slider WP Plugin before 1.2.62The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Slider
|
| CVE-2024-10566 | Mar 25, 2025 |
XSS via unsanitised settings in Slider by 10Web WP plugin <1.2.62The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Slider
|
| CVE-2024-13124 | Mar 24, 2025 |
Stored XSS in 10Web PhotoGallery WP plugin before 1.8.33The Photo Gallery by 10Web WordPress plugin before 1.8.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Photo Gallery
|
| CVE-2024-10558 | Mar 24, 2025 |
WordPress Form Maker <=1.15.30 XSS via Unsanitised SettingsThe Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Form Maker
|
| CVE-2024-13605 | Feb 24, 2025 |
Form Maker WP Plugin <1.15.33 Vulnerable to Stored XSSThe Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Form Maker
|
| CVE-2024-10562 | Jan 07, 2025 |
10Web Form Maker WP Plugin 1.15.31 XSS via unsanitized settingsThe Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Form Maker
|
| CVE-2023-45272 | Jan 02, 2025 |
Missing Auth in 10Web Map Builder for Google Maps (<=1.0.73)Missing Authorization vulnerability in 10Web 10Web Map Builder for Google Maps wd-google-maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10Web Map Builder for Google Maps: from n/a through <= 1.0.73. |
Map Builder For Google Maps
Wd Google Maps
|
| CVE-2023-47807 | Jan 02, 2025 |
10WebAnalytics v1.2.12 Missing Auth: access control flawMissing Authorization vulnerability in 10Web 10WebAnalytics wd-google-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through <= 1.2.12. |
10webanalytics
|
| CVE-2023-33995 | Dec 13, 2024 |
Missing Auth in Photo Gallery by 10Web <1.8.15, Access Control BypassMissing Authorization vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.15. |
Photo Gallery
|
| CVE-2024-5020 | Dec 04, 2024 |
WordPress Plugins Stored XSS Vulnerability in FancyBox JavaScript LibraryMultiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Form Maker
|
| CVE-2024-10704 | Nov 29, 2024 |
Stored XSS Vulnerability in Photo Gallery by 10Web WordPress PluginThe Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Photo Gallery
|
| CVE-2024-10265 | Nov 10, 2024 |
Form Maker by 10Web XSS via add_query_argThe Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
Form Maker
|
| CVE-2024-9878 | Nov 05, 2024 |
10Web Gallery XSS in Admin SettingsThe Photo Gallery by 10Web Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
Photo Gallery
|
| CVE-2024-9628 | Oct 25, 2024 |
WPS Telegram Chat v4.5.4 Unauthorized Data Modification via Missing Capability CheckThe WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::check?onnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it. |
Wps Telegram Chat
|
| CVE-2024-9630 | Oct 25, 2024 |
WPS Telegram Chat <=4.5.4 Auth Bypass via Capability Check MissingThe WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.5.4. This makes it possible for unauthenticated attackers to view the messages that are sent through the Telegram Bot API. |
Wps Telegram Chat
|
| CVE-2024-9607 | Oct 25, 2024 |
10Web Social Post Feed v1.2.9 XSS via add_query_argThe 10Web Social Post Feed plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the leave a review notice is present. |
10web Social Post Feed
|
| CVE-2024-5968 | Oct 09, 2024 |
XSS via Gallery settings in The Photo Gallery by 10Web v<1.8.28The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) |
Photo Gallery
|
| CVE-2024-44043 | Oct 06, 2024 |
10Web Photo Gallery 1.8.27 XSS via unsanitized input: Stored XSSImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.27. |
Photo Gallery
|
| CVE-2024-8283 | Sep 30, 2024 |
WordPress Slider 10Web Plugin v<1.2.59 Stored XSSThe Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
Slider
|
| CVE-2024-8633 | Sep 26, 2024 |
Stored XSS in Form Maker WP plugin <=1.15.27The Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Form Maker
|
| CVE-2024-43220 | Aug 12, 2024 |
10Web Form Maker Reflected XSS in Versions <=1.15.26Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in 10Web Form Builder Team Form Maker by 10Web allows Reflected XSS.This issue affects Form Maker by 10Web: from n/a through 1.15.26. |
Form Maker
|
| CVE-2024-7150 | Aug 08, 2024 |
SQLi via id param in Slider by 10Web <=1.2.57 (WordPress)The Slider by 10Web Responsive Image Slider plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.2.57 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. |
Slider
|
| CVE-2024-6272 | Jul 31, 2024 |
SpiderContacts WP Plugin <=1.1.7 Reflected XSS via unsanitized paramThe SpiderContacts WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin |
Spidercontacts
|
| CVE-2024-6408 | Jul 31, 2024 |
XSS in Slider by 10Web WP plugin (v<1.2.57) for privileged usersThe Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed |
Slider
|
| CVE-2024-6026 | Jul 11, 2024 |
Stored XSS in Slider by 10Web WP Plugin <1.2.56The Slider by 10Web WordPress plugin before 1.2.56 does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders (by default Administrator, however this can be changed via the Slider by 10Web WordPress plugin before 1.2.56's options) and the ability to add images (Editor+) to perform Stored Cross-Site Scripting attacks |
Slider
|