Export limit exceeded: 364922 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364922 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24875 | 1 Implecode | 1 Ecommerce Product Catalog | 2024-11-21 | 6.1 Medium |
| The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24874 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-11-21 | 6.1 Medium |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24873 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.1 Medium |
| The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24872 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2024-11-21 | 6.5 Medium |
| The Get Custom Field Values WordPress plugin before 4.0 allows users with a role as low as Contributor to access other posts metadata without validating the permissions. Eg. contributors can access admin posts metadata. | ||||
| CVE-2021-24871 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2024-11-21 | 5.4 Medium |
| The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24868 | 1 Bplugins | 1 Document Embedder | 2024-11-21 | 4.3 Medium |
| The Document Embedder WordPress plugin before 1.7.9 contains a AJAX action endpoint, which could allow any authenticated user, such as subscriber to enumerate the title of arbitrary private and draft posts. | ||||
| CVE-2021-24867 | 1 Accesspressthemes | 93 Accessbuddy, Accesspress Anonymous Post, Accesspress Basic and 90 more | 2024-11-21 | 9.8 Critical |
| Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion | ||||
| CVE-2021-24866 | 1 Wpdataaccess | 1 Wp Data Access | 2024-11-21 | 9.8 Critical |
| The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion | ||||
| CVE-2021-24865 | 1 Acf-extended | 1 Advanced Custom Fields\ | 2024-11-21 | 7.2 High |
| The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue | ||||
| CVE-2021-24864 | 1 Wpscan | 1 Wp Cloudy | 2024-11-21 | 8.8 High |
| The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue | ||||
| CVE-2021-24862 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | 7.2 High |
| The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue | ||||
| CVE-2021-24861 | 1 Quotes Collection Project | 1 Quotes Collection | 2024-11-21 | 7.2 High |
| The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection | ||||
| CVE-2021-24860 | 1 Bannersky | 1 Bsk Pdf Manager | 2024-11-21 | 7.2 High |
| The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue | ||||
| CVE-2021-24859 | 1 User Meta Shortcodes Project | 1 User Meta Shortcodes | 2024-11-21 | 4.3 Medium |
| The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes | ||||
| CVE-2021-24858 | 1 Accesspressthemes | 1 Wp Cookie User Info | 2024-11-21 | 7.2 High |
| The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection | ||||
| CVE-2021-24857 | 1 Nocean | 1 Totop Link | 2024-11-21 | 9.8 Critical |
| The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain. | ||||
| CVE-2021-24856 | 1 Tammersoft | 1 Shared Files | 2024-11-21 | 4.8 Medium |
| The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24855 | 1 Display Post Metadata Project | 1 Display Post Metadata | 2024-11-21 | 5.4 Medium |
| The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24854 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 5.4 Medium |
| The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2021-24853 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 4.3 Medium |
| The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects | ||||