Export limit exceeded: 363163 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363163 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24775 | 1 Bplugins | 1 Document Embedder | 2024-11-21 | 5.3 Medium |
| The Document Embedder WordPress plugin before 1.7.5 contains a REST endpoint, which could allow unauthenticated users to enumerate the title of arbitrary private and draft posts. | ||||
| CVE-2021-24774 | 1 Wpchill | 1 Check \& Log Email | 2024-11-21 | 7.2 High |
| The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues | ||||
| CVE-2021-24772 | 1 Xwp | 1 Stream | 2024-11-21 | 8.8 High |
| The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue. | ||||
| CVE-2021-24771 | 1 Inspirational Quote Rotator Project | 1 Inspirational Quote Rotator | 2024-11-21 | 4.8 Medium |
| The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24770 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 6.5 Medium |
| The Stylish Price List WordPress plugin before 6.9.1 does not perform capability checks in its spl_upload_ser_img AJAX action (available to authenticated users), which could allow any authenticated users, such as subscriber, to upload arbitrary images. | ||||
| CVE-2021-24769 | 1 Permalink Manager Lite Project | 1 Permalink Manager Lite | 2024-11-21 | 7.2 High |
| The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection | ||||
| CVE-2021-24768 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 4.8 Medium |
| The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues. | ||||
| CVE-2021-24766 | 1 404 To 301 Project | 1 404 To 301 | 2024-11-21 | 6.5 Medium |
| The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack | ||||
| CVE-2021-24765 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 6.1 Medium |
| The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue | ||||
| CVE-2021-24764 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 6.1 Medium |
| The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24763 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 8.8 High |
| The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey | ||||
| CVE-2021-24762 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 9.8 Critical |
| The Perfect Survey WordPress plugin before 1.5.2 does not validate and escape the question_id GET parameter before using it in a SQL statement in the get_question AJAX action, allowing unauthenticated users to perform SQL injection. | ||||
| CVE-2021-24761 | 1 Bestwebsoft | 1 Error Log Viewer | 2024-11-21 | 6.5 Medium |
| The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | ||||
| CVE-2021-24760 | 1 Pdf Viewer Block For Gutenberg Project | 1 Pdf Viewer Block For Gutenberg | 2024-11-21 | 5.4 Medium |
| The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24759 | 1 Pdf.js Viewer Project | 1 Pdf.js Viewer | 2024-11-21 | 5.4 Medium |
| The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24758 | 1 Email Log Project | 1 Email Log | 2024-11-21 | 8.8 High |
| The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections | ||||
| CVE-2021-24757 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 5.3 Medium |
| The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images. | ||||
| CVE-2021-24756 | 1 Wp System Log Project | 1 Wp System Log | 2024-11-21 | 6.1 Medium |
| The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. | ||||
| CVE-2021-24754 | 1 Mainwp | 1 Mainwp Child Reports | 2024-11-21 | 7.2 High |
| The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue | ||||
| CVE-2021-24753 | 1 Starfish | 1 Rich Review | 2024-11-21 | 7.2 High |
| The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue | ||||