Export limit exceeded: 363282 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363282 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25051 | 1 Wow-company | 1 Modal Window | 2024-11-21 | 8.8 High |
| The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | ||||
| CVE-2021-25050 | 1 Wpchill | 1 Remove Footer Credit | 2024-11-21 | 4.8 Medium |
| The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | ||||
| CVE-2021-25049 | 1 Mobileeventsmanager | 1 Mobile Events Manager | 2024-11-21 | 4.8 Medium |
| The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-25048 | 1 King-theme | 1 Kingcomposer | 2024-11-21 | 5.4 Medium |
| The KingComposer WordPress plugin through 2.9.6 does not have authorisation, CSRF and sanitisation/escaping when creating profile, allowing any authenticated users to create arbitrary ones, with Cross-Site Scripting payloads in them | ||||
| CVE-2021-25047 | 1 10web | 1 10websocial | 2024-11-21 | 6.1 Medium |
| The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Scripting (XSS) vulnerability in the wdi_apply_changes admin page, allowing an attacker to perform such attack against any logged in users | ||||
| CVE-2021-25046 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 5.4 Medium |
| The Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS. | ||||
| CVE-2021-25045 | 1 Asgaros | 1 Asgaros Forum | 2024-11-21 | 7.2 High |
| The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue | ||||
| CVE-2021-25044 | 1 Premium-themes | 1 Cryptocurrency Pricing List And Ticker | 2024-11-21 | 6.1 Medium |
| The Cryptocurrency Pricing list and Ticker WordPress plugin through 1.5 does not sanitise and escape the ccpw_setpage parameter before outputting it back in pages where its shortcode is embed, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25043 | 1 Pluginus | 1 Woocommerce Currency Switcher | 2024-11-21 | 6.1 Medium |
| The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25041 | 1 10web | 1 Photo Gallery | 2024-11-21 | 6.1 Medium |
| The Photo Gallery by 10Web WordPress plugin before 1.5.68 is vulnerable to Reflected Cross-Site Scripting (XSS) issues via the bwg_album_breadcrumb_0 and shortcode_id GET parameters passed to the bwg_frontend_data AJAX action | ||||
| CVE-2021-25040 | 1 Booking Calendar Project | 1 Booking Calendar | 2024-11-21 | 6.1 Medium |
| The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25039 | 1 Obtaininfotech | 1 Multisite Content Copier\/updater | 2024-11-21 | 6.1 Medium |
| The WordPress Multisite Content Copier/Updater WordPress plugin before 2.1.0 does not sanitise and escape the wmcc_content_type, wmcc_source_blog and wmcc_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25038 | 1 Obtaininfotech | 1 Multisite User Sync\/unsync | 2024-11-21 | 6.1 Medium |
| The WordPress Multisite User Sync/Unsync WordPress plugin before 2.1.2 does not sanitise and escape the wmus_source_blog and wmus_record_per_page parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25037 | 1 Aioseo | 1 All In One Seo | 2024-11-21 | 6.5 Medium |
| The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). | ||||
| CVE-2021-25036 | 1 Aioseo | 1 All In One Seo | 2024-11-21 | 8.8 High |
| The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites. | ||||
| CVE-2021-25035 | 1 Revmakx | 1 Backup And Staging By Wp Time Capsule | 2024-11-21 | 6.1 Medium |
| The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25034 | 1 Wp User Project | 1 Wp User | 2024-11-21 | 6.1 Medium |
| The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25033 | 1 Noptin | 1 Noptin | 2024-11-21 | 6.1 Medium |
| The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue | ||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2024-11-21 | 9.8 Critical |
| The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role. | ||||
| CVE-2021-25031 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2024-11-21 | 6.1 Medium |
| The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | ||||