FoopluginsCVEs & Vulnerabilities

17 CVEs affecting Fooplugins products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

foogallery 15foobox 2
CVE-2025-6068MEDIUM

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

11 Jul 2025
5.4
CVSS
CVE-2025-5537MEDIUM

The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

8 Jul 2025
5.4
CVSS
CVE-2024-12119MEDIUM

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the default_gallery_title_size parameter in all versions up to, and including, 2.4.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with granted gallery and album creator roles, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

8 Mar 2025
5.4
CVSS
CVE-2024-12114MEDIUM

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.29 via the foogallery_attachment_modal_save AJAX action due to missing validation on a user controlled key (img_id). This makes it possible for authenticated attackers, with granted access and above, to update arbitrary post and page content. This requires the Gallery Creator Role setting to be a value lower than 'Editor' for there to be any real impact.

8 Mar 2025
4.3
CVSS
CVE-2023-6947HIGH

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.26. This makes it possible for authenticated attackers, with contributor level or higher to read the contents of arbitrary folders on the server, which can contain sensitive information such as folder structure.

10 Dec 2024
7.7
CVSS
CVE-2024-3276MEDIUM

The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

18 Jun 2024
4.8
CVSS
CVE-2024-2122MEDIUM

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

14 Jun 2024
5.4
CVSS
CVE-2024-2762MEDIUM

The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

13 Jun 2024
5.4
CVSS
CVE-2024-2081MEDIUM

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the foogallery_attachment_modal_save action in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

9 Apr 2024
5.4
CVSS
CVE-2024-2471MEDIUM

The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields (such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type') in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

6 Apr 2024
5.4
CVSS
CVE-2024-0604MEDIUM

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

29 Feb 2024
4.8
CVSS
CVE-2023-6747MEDIUM

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for contributors and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

3 Jan 2024
5.4
CVSS
CVE-2023-44233HIGH

Cross-Site Request Forgery (CSRF) vulnerability in FooPlugins Best WordPress Gallery Plugin – FooGallery plugin <= 2.2.44 versions.

6 Oct 2023
8.8
CVSS
CVE-2023-44244MEDIUM

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.44 versions.

2 Oct 2023
6.1
CVSS
CVE-2023-29439MEDIUM

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FooPlugins FooGallery plugin <= 2.2.35 versions.

16 May 2023
6.1
CVSS
CVE-2021-24357MEDIUM

In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.

14 Jun 2021
5.4
CVSS
CVE-2019-20182MEDIUM

The FooGallery plugin 1.8.12 for WordPress allow XSS via the post_title parameter.

10 Jan 2020
4.8
CVSS
← PrevPage 1 / 1Next →