Export limit exceeded: 367033 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (367033 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-24912 1 Transposh 1 Transposh Wordpress Translation 2024-11-21 5.4 Medium
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin
CVE-2021-24911 1 Transposh 1 Transposh Wordpress Translation 2024-11-21 5.4 Medium
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.
CVE-2021-24910 1 Transposh 1 Transposh Wordpress Translation 2024-11-21 6.1 Medium
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24909 1 Navz 1 Acf Photo Gallery Field 2024-11-21 6.1 Medium
The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24908 1 Wpchill 1 Check \& Log Email 2024-11-21 6.1 Medium
The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
CVE-2021-24907 1 Wpeverest 1 Everest Forms 2024-11-21 6.1 Medium
The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24906 1 Wp-experts 1 Protect Wp Admin 2024-11-21 7.5 High
The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request
CVE-2021-24905 1 Vsourz 1 Advanced Cf7 Db 2024-11-21 8.0 High
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted, allowing any authenticated user to delete arbitrary files on the web server. For example, removing the wp-config.php allows attackers to trigger WordPress setup again, gain administrator privileges and execute arbitrary code or display arbitrary content to the users.
CVE-2021-24904 1 Lenderd 1 Mortgage Calculators Wp 2024-11-21 4.8 Medium
The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24903 1 Codeasily 1 Grand Flagallery 2024-11-21 4.8 Medium
The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24902 1 Typebot 1 Typebot 2024-11-21 4.8 Medium
The Typebot | Build beautiful conversational forms WordPress plugin before 1.4.3 does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24901 1 Securemoz 1 Security Audit 2024-11-21 4.8 Medium
The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24900 1 Wpmanageninja 1 Ninja Tables 2024-11-21 4.8 Medium
The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2021-24899 1 Media-tags Project 1 Media-tags 2024-11-21 4.8 Medium
The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed.
CVE-2021-24898 1 Editable-table Project 1 Editable Table 2024-11-21 4.8 Medium
The EditableTable WordPress plugin through 0.1.4 does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2021-24897 1 Viitorcloud 1 Add Subtitle 2024-11-21 5.4 Medium
The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
CVE-2021-24896 1 Calderaforms 1 Caldera Forms 2024-11-21 4.8 Medium
The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24895 1 Webbigt 1 Cybersoldier 2024-11-21 4.8 Medium
The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2021-24894 1 Implecode 1 Reviews Plus 2024-11-21 6.5 Medium
The Reviews Plus WordPress plugin before 1.2.14 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the review section when an authenticated user submit such rating and the reviews are set to be displayed on the post/page
CVE-2021-24893 1 Stars Rating Project 1 Stars Rating 2024-11-21 7.5 High
The Stars Rating WordPress plugin before 3.5.1 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.