Search

Search Results (364917 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-24957 1 Advanced Page Visit Counter Project 1 Advanced Page Visit Counter 2024-11-21 8.8 High
The Advanced Page Visit Counter WordPress plugin before 6.1.6 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection
CVE-2021-24956 1 Adenion 1 Blog2social 2024-11-21 6.1 Medium
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24955 1 Profilepress 1 User Registration\, Login Form\, User Profile \& Membership 2024-11-21 6.1 Medium
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24954 1 Profilepress 1 User Registration\, Login Form\, User Profile \& Membership 2024-11-21 6.1 Medium
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24953 1 Tinywebgallery 1 Advanced Iframe 2024-11-21 6.1 Medium
The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24951 1 Thimpress 1 Learnpress 2024-11-21 9.8 Critical
The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues
CVE-2021-24950 1 Thememove 1 Insight Core 2024-11-21 5.4 Medium
The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks
CVE-2021-24949 1 Posimyth 1 The Plus Addons For Elementor 2024-11-21 9.8 Critical
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
CVE-2021-24948 1 Posimyth 1 The Plus Addons For Elementor 2024-11-21 7.5 High
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts
CVE-2021-24947 1 Thinkupthemes 1 Responsive Vector Maps 2024-11-21 6.5 Medium
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server
CVE-2021-24946 1 Webnus 1 Modern Events Calendar Lite 2024-11-21 9.8 Critical
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue
CVE-2021-24945 1 Likebtn 1 Like Button Rating 2024-11-21 8.0 High
The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.
CVE-2021-24944 1 Cusmin 1 Absolutely Glamorous Custom Admin 2024-11-21 4.8 Medium
The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24943 1 Roundupwp 1 Registrations For The Events Calendar 2024-11-21 9.8 Critical
The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.
CVE-2021-24941 1 Icegram 1 Icegram 2024-11-21 6.1 Medium
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue
CVE-2021-24940 1 Woocommerce 1 Persian-woocommerce 2024-11-21 6.1 Medium
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
CVE-2021-24939 1 Profilepress 1 Loginwp 2024-11-21 6.1 Medium
The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24938 1 Woocommerce 1 Woocommerce Currency Switcher 2024-11-21 6.1 Medium
The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue
CVE-2021-24937 1 Asset Cleanup\ 1 Page Speed Booster Project 2024-11-21 6.1 Medium
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24936 1 Wp Extra File Types Project 1 Wp Extra File Types 2024-11-21 8.0 High
The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks