Search

Search Results (363290 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-24675 1 Onedesigns 1 One User Avatar 2024-11-21 6.5 Medium
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack
CVE-2021-24674 1 Genie Wp Favicon Project 1 Genie Wp Favicon 2024-11-21 6.5 Medium
The Genie WP Favicon WordPress plugin through 0.5.2 does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack
CVE-2021-24673 1 Dwbooster 1 Appointment Hour Booking 2024-11-21 4.8 Medium
The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24672 1 Onedesigns 1 One User Avatar 2024-11-21 5.4 Medium
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVE-2021-24671 1 Mx Time Zone Clocks Project 1 Mx Time Zone Clocks 2024-11-21 5.4 Medium
The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVE-2021-24670 1 Status301 1 Coolclock 2024-11-21 5.4 Medium
The CoolClock WordPress plugin before 4.3.5 does not escape some shortcode attributes, allowing users with a role as low as Contributor toperform Stored Cross-Site Scripting attacks
CVE-2021-24669 1 Feataholic 1 Maz Loader 2024-11-21 8.8 High
The MAZ Loader – Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.
CVE-2021-24668 1 Feataholic 1 Maz Loader 2024-11-21 4.3 Medium
The MAZ Loader WordPress plugin before 1.4.1 does not enforce nonce checks, which allows attackers to make administrators delete arbitrary loaders via a CSRF attack
CVE-2021-24667 1 Simplygallery 1 Simply Gallery Blocks With Lightbox 2024-11-21 5.4 Medium
A stored cross-site scripting vulnerability has been discovered in : Simply Gallery Blocks with Lightbox (Version – 2.2.0 & below). The vulnerability exists in the Lightbox functionality where a user with low privileges is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of image parameters in meta data.
CVE-2021-24666 1 Podlove 1 Podlove Podcast Publisher 2024-11-21 9.8 Critical
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
CVE-2021-24665 1 Tipsandtricks-hq 1 Wp Video Lightbox 2024-11-21 5.4 Medium
The WP Video Lightbox WordPress plugin before 1.9.3 does not escape the attributes of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks
CVE-2021-24664 1 Igexsolutions 1 Wpschoolpress 2024-11-21 4.8 Medium
The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.
CVE-2021-24663 1 Simple Schools Staff Directory Project 1 Simple Schools Staff Directory 2024-11-21 7.2 High
The Simple Schools Staff Directory WordPress plugin through 1.1 does not validate uploaded logo pictures to ensure that are indeed images, allowing high privilege users such as admin to upload arbitrary file like PHP, leading to RCE
CVE-2021-24662 1 Game-server-status Project 1 Game-server-status 2024-11-21 7.2 High
The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page
CVE-2021-24661 1 Wpxpo 1 Postx - Gutenberg Blocks For Post Grid 2024-11-21 4.3 Medium
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID.
CVE-2021-24660 1 Wpxpo 1 Postx - Gutenberg Blocks For Post Grid 2024-11-21 5.4 Medium
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode.
CVE-2021-24659 1 Wpxpo 1 Postx - Gutenberg Blocks For Post Grid 2024-11-21 5.4 Medium
The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's block.
CVE-2021-24658 1 Erident Custom Login And Dashboard Project 1 Erident Custom Login And Dashboard 2024-11-21 4.8 Medium
The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)
CVE-2021-24657 1 Limit Login Attempts Project 1 Limit Login Attempts 2024-11-21 6.1 Medium
The Limit Login Attempts WordPress plugin before 4.0.50 does not escape the IP addresses (which can be controlled by attacker via headers such as X-Forwarded-For) of attempted logins before outputting them in the reports table, leading to an Unauthenticated Stored Cross-Site Scripting issue.
CVE-2021-24656 1 Wpbrigade 1 Simple Social Buttons 2024-11-21 4.8 Medium
The Simple Social Media Share Buttons WordPress plugin before 3.2.4 does not escape the Share Title settings before outputting it in the frontend pages or posts (depending on the settings used), allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.