Export limit exceeded: 363286 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363286 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363286 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25121 | 1 Bestwebsoft | 1 Rating | 2024-11-21 | 6.5 Medium |
| The Rating by BestWebSoft WordPress plugin before 1.6 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service on the post/page when a user submit such rating | ||||
| CVE-2021-25120 | 1 Easysocialfeed | 1 Easy Social Feed | 2024-11-21 | 6.1 Medium |
| The Easy Social Feed Free and Pro WordPress plugins before 6.2.7 do not sanitise some of their parameters used via AJAX actions before outputting them back in the response, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25119 | 1 Wpsocket | 1 Automatic Grid Image Listing | 2024-11-21 | 7.2 High |
| The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE | ||||
| CVE-2021-25118 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | 5.3 Medium |
| The Yoast SEO WordPress plugin (from versions 16.7 until 17.2) discloses the full internal path of featured images in posts via the wp/v2/posts REST endpoints which could help an attacker identify other vulnerabilities or help during the exploitation of other identified vulnerabilities. | ||||
| CVE-2021-25116 | 1 Enqueue Anything Project | 1 Enqueue Anything | 2024-11-21 | 6.5 Medium |
| The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash. | ||||
| CVE-2021-25114 | 1 Strangerstudios | 1 Paid Memberships Pro | 2024-11-21 | 9.8 Critical |
| The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection | ||||
| CVE-2021-25113 | 1 Dropdown Menu Widget Project | 1 Dropdown Menu Widget | 2024-11-21 | 5.4 Medium |
| The Dropdown Menu Widget WordPress plugin through 1.9.7 does not have authorisation and CSRF checks when saving its settings, allowing low privilege users such as subscriber to update them. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-25112 | 1 I-plugins | 1 Whmcs Bridge | 2024-11-21 | 6.1 Medium |
| The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25111 | 1 English Wordpress Admin Project | 1 English Wordpress Admin | 2024-11-21 | 6.1 Medium |
| The English WordPress Admin WordPress plugin before 1.5.2 does not validate the admin_custom_language_return_url before redirecting users o it, leading to an open redirect issue | ||||
| CVE-2021-25110 | 1 Futuriowp | 1 Futurio Extra | 2024-11-21 | 4.3 Medium |
| The Futurio Extra WordPress plugin before 1.6.3 allows any logged in user, such as subscriber, to extract any other user's email address. | ||||
| CVE-2021-25109 | 1 Futuriowp | 1 Futurio Extra | 2024-11-21 | 2.7 Low |
| The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against logged in admins by making send open a malicious link. | ||||
| CVE-2021-25108 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | 7.1 High |
| The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | ||||
| CVE-2021-25107 | 1 Accesspressthemes | 1 Form Store To Db | 2024-11-21 | 6.1 Medium |
| The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin | ||||
| CVE-2021-25106 | 1 Wpeka | 1 Wplegalpages | 2024-11-21 | 5.4 Medium |
| The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting | ||||
| CVE-2021-25105 | 1 Ivorysearch | 1 Ivory Search | 2024-11-21 | 4.8 Medium |
| The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-25104 | 1 Oceanwp | 1 Ocean Extra | 2024-11-21 | 6.1 Medium |
| The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25103 | 1 Gtranslate | 1 Translate Wordpress With Gtranslate | 2024-11-21 | 4.7 Medium |
| The Translate WordPress with GTranslate WordPress plugin before 2.9.7 does not sanitise and escape the body parameter in the url_addon/gtranslate-email.php file before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue. Note: exploitation of the issue requires knowledge of the NONCE_SALT and NONCE_KEY | ||||
| CVE-2021-25102 | 1 Tipsandtricks-hq | 1 All In One Wp Security \& Firewall | 2024-11-21 | 4.7 Medium |
| The All In One WP Security & Firewall WordPress plugin before 4.4.11 does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk | ||||
| CVE-2021-25101 | 1 Anti-malware Security And Brute-force Firewall Project | 1 Anti-malware Security And Brute-force Firewall | 2024-11-21 | 4.8 Medium |
| The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user. | ||||
| CVE-2021-25100 | 1 Givewp | 1 Givewp | 2024-11-21 | 6.1 Medium |
| The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting | ||||