Export limit exceeded: 363250 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363250 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-24803 1 Core Tweaks Wp Setup Project 1 Core Tweaks Wp Setup 2024-11-21 8.8 High
The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks
CVE-2021-24802 1 Gesundheit-bewegt 1 Colorful Categories 2024-11-21 6.5 Medium
The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack
CVE-2021-24801 1 Wp Survey Plus Project 1 Wp Survey Plus 2024-11-21 4.3 Medium
The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues
CVE-2021-24800 1 Designwall 1 Dw Question \& Answer 2024-11-21 4.3 Medium
The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments.
CVE-2021-24799 1 Tipsandtricks-hq 1 Far Future Expiry Header 2024-11-21 4.3 Medium
The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
CVE-2021-24798 1 Androidbubbles 1 Wp Header Images 2024-11-21 6.1 Medium
The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24797 1 Tickera 1 Tickera 2024-11-21 6.1 Medium
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
CVE-2021-24796 1 My Tickets Project 1 My Tickets 2024-11-21 6.1 Medium
The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins
CVE-2021-24795 1 Phoeniixx 1 Filter Portfolio Gallery 2024-11-21 6.5 Medium
The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery.
CVE-2021-24794 1 Connections-pro 1 Connections Business Directory 2024-11-21 4.8 Medium
The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfiltered_html capability is disallowed.
CVE-2021-24793 1 Etruel 1 Wpematico Rss Feed Fetcher 2024-11-21 4.8 Medium
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24792 1 Wpeden 1 Shiny Buttons 2024-11-21 6.1 Medium
The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
CVE-2021-24791 1 Draftpress 1 Header Footer Code Manager 2024-11-21 7.2 High
The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections
CVE-2021-24790 1 Contact Form Advanced Database Project 1 Contact Form Advanced Database 2024-11-21 4.3 Medium
The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated.
CVE-2021-24789 1 Flat Preloader Project 1 Flat Preloader 2024-11-21 4.8 Medium
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
CVE-2021-24788 1 Batch Cat Project 1 Batch Cat 2024-11-21 6.5 Medium
The Batch Cat WordPress plugin through 0.3 defines 3 custom AJAX actions, which both require authentication but are available for all roles. As a result, any authenticated user (including simple subscribers) can add/set/delete arbitrary categories to posts.
CVE-2021-24787 1 Webventures 1 Client Invoicing By Sprout Invoices 2024-11-21 4.8 Medium
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2021-24785 1 Great-quotes Project 1 Great-quotes 2024-11-21 4.8 Medium
The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
CVE-2021-24784 1 Wp Admin Logo Changer Project 1 Wp Admin Logo Changer 2024-11-21 6.5 Medium
The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack.
CVE-2021-24783 1 Publishpress 1 Post Expirator 2024-11-21 6.5 Medium
The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts.