Export limit exceeded: 363284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363284 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24731 | 1 Genetechsolutions | 1 Pie Register | 2024-11-21 | 9.8 Critical |
| The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. | ||||
| CVE-2021-24730 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 4.3 Medium |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | ||||
| CVE-2021-24729 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 5.4 Medium |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. | ||||
| CVE-2021-24728 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2024-11-21 | 8.8 High |
| The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages. | ||||
| CVE-2021-24726 | 1 Wpsimplebookingcalendar | 1 Wp Simple Booking Calendar | 2024-11-21 | 8.8 High |
| The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue | ||||
| CVE-2021-24725 | 1 Quantumcloud | 1 Comment Link Remove And Other Comment Tools | 2024-11-21 | 4.3 Medium |
| The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments | ||||
| CVE-2021-24724 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 5.4 Medium |
| The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s | ||||
| CVE-2021-24723 | 1 Wpreactions | 1 Wp Reactions Lite | 2024-11-21 | 5.4 Medium |
| The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. | ||||
| CVE-2021-24722 | 1 Motopress | 1 Restaurant Menu | 2024-11-21 | 4.8 Medium |
| The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24721 | 1 Loco Translate Project | 1 Loco Translate | 2024-11-21 | 6.5 Medium |
| The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. | ||||
| CVE-2021-24720 | 1 Ayecode | 1 Geodirectory | 2024-11-21 | 5.4 Medium |
| The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). | ||||
| CVE-2021-24719 | 1 Kriesi | 1 Enfold | 2024-11-21 | 6.1 Medium |
| The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder. | ||||
| CVE-2021-24718 | 1 Reputeinfosystems | 1 Contact Form\, Survey \& Popup Form Plugin For Wordpress - Arforms Form Builder | 2024-11-21 | 4.8 Medium |
| The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24717 | 1 Automatorwp | 1 Automatorwp | 2024-11-21 | 8.8 High |
| The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions. | ||||
| CVE-2021-24716 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 5.4 Medium |
| The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. | ||||
| CVE-2021-24715 | 1 Wp Sitemap Page Project | 1 Wp Sitemap Page | 2024-11-21 | 4.8 Medium |
| The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24714 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.8 Medium |
| The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24712 | 1 Dwbooster | 1 Appointment Hour Booking | 2024-11-21 | 5.4 Medium |
| The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. | ||||
| CVE-2021-24711 | 1 Tipsandtricks-hq | 1 Software License Manager | 2024-11-21 | 8.8 High |
| The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack | ||||
| CVE-2021-24710 | 1 Print-o-matic Project | 1 Print-o-matic | 2024-11-21 | 4.8 Medium |
| The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||