Export limit exceeded: 363163 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363163 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363163 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24816 | 1 Phoenix Media Rename Project | 1 Phoenix Media Rename | 2024-11-21 | 4.3 Medium |
| The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media files, including ones they do not own. | ||||
| CVE-2021-24815 | 1 Wpplugin | 1 Accept Donations With Paypal | 2024-11-21 | 4.8 Medium |
| The Accept Donations with PayPal WordPress plugin before 1.3.2 does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24814 | 1 Welaunch | 1 Wordpress Gdpr\&ccpa | 2024-11-21 | 9.6 Critical |
| The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction). | ||||
| CVE-2021-24813 | 1 E-dynamics | 1 Events Made Easy | 2024-11-21 | 4.8 Medium |
| The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24812 | 1 Wpdeveloper | 1 Betterlinks | 2024-11-21 | 5.4 Medium |
| The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV. | ||||
| CVE-2021-24811 | 1 Shoppagewp | 1 Shop Page Wp | 2024-11-21 | 4.8 Medium |
| The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24810 | 1 Wp-eventmanager | 1 Wp Event Manager | 2024-11-21 | 4.8 Medium |
| The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24809 | 1 Wordplus | 1 Better Messages | 2024-11-21 | 8.8 High |
| The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions | ||||
| CVE-2021-24808 | 1 Wordplus | 1 Better Messages | 2024-11-21 | 6.1 Medium |
| The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24807 | 1 Schiocco | 1 Support Board | 2024-11-21 | 5.4 Medium |
| The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed. | ||||
| CVE-2021-24806 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | 4.3 Medium |
| The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment. | ||||
| CVE-2021-24805 | 1 Designwall | 1 Dw Question \& Answer | 2024-11-21 | 4.3 Medium |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. | ||||
| CVE-2021-24804 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2024-11-21 | 8.8 High |
| The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. | ||||
| CVE-2021-24803 | 1 Core Tweaks Wp Setup Project | 1 Core Tweaks Wp Setup | 2024-11-21 | 8.8 High |
| The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks | ||||
| CVE-2021-24802 | 1 Gesundheit-bewegt | 1 Colorful Categories | 2024-11-21 | 6.5 Medium |
| The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack | ||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2024-11-21 | 4.3 Medium |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-24800 | 1 Designwall | 1 Dw Question \& Answer | 2024-11-21 | 4.3 Medium |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments. | ||||
| CVE-2021-24799 | 1 Tipsandtricks-hq | 1 Far Future Expiry Header | 2024-11-21 | 4.3 Medium |
| The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | ||||
| CVE-2021-24798 | 1 Androidbubbles | 1 Wp Header Images | 2024-11-21 | 6.1 Medium |
| The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24797 | 1 Tickera | 1 Tickera | 2024-11-21 | 6.1 Medium |
| The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins. | ||||