The flickr-justified-gallery plugin before 3.4.0 for WordPress has XSS.

Cross-site request forgery (CSRF) vulnerability in Contest Gallery versions prior to 10.4.5 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

ecard.php in Coppermine Photo Gallery (CPG) 1.5.46 has XSS via the sender_name, recipient_email, greetings, or recipient_name parameter.

The WordPress Flash Uploader plugin before 3.1.3 for WordPress allows remote attackers to execute arbitrary commands via vectors related to invalid characters in image_magic_path.

Cross-site scripting (XSS) vulnerability in the keywords manager (keywordmgr.php) in Coppermine Photo Gallery before 1.5.27 and 1.6.x before 1.6.01 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

The mgl-instagram-gallery plugin for WordPress has XSS via the single-gallery.php media parameter.

In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname`, `mkitem`, and `item` parameters of the `Add/Create` module. Remote attackers with low-privilege user accounts for backend access are able to inject malicious script codes into the `TWG Explorer` item listing. The request method to inject is POST and the attack vector is located on the application-side of the service. The injection point is the add/create input field and the execution point occurs in the item listing after the add or create.

upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to create arbitrary directories via vectors related to the targetDir variable.

Reflected XSS in wordpress plugin tidio-gallery v1.1

Remote file download vulnerability in wptf-image-gallery v1.03