Export limit exceeded: 363169 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363169 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24759 | 1 Pdf.js Viewer Project | 1 Pdf.js Viewer | 2024-11-21 | 5.4 Medium |
| The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24758 | 1 Email Log Project | 1 Email Log | 2024-11-21 | 8.8 High |
| The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections | ||||
| CVE-2021-24757 | 1 Stylishpricelist | 1 Stylish Price List | 2024-11-21 | 5.3 Medium |
| The Stylish Price List WordPress plugin before 6.9.0 does not perform capability checks in its spl_upload_ser_img AJAX action (available to both unauthenticated and authenticated users), which could allow unauthenticated users to upload images. | ||||
| CVE-2021-24756 | 1 Wp System Log Project | 1 Wp System Log | 2024-11-21 | 6.1 Medium |
| The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. | ||||
| CVE-2021-24754 | 1 Mainwp | 1 Mainwp Child Reports | 2024-11-21 | 7.2 High |
| The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue | ||||
| CVE-2021-24753 | 1 Starfish | 1 Rich Review | 2024-11-21 | 7.2 High |
| The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue | ||||
| CVE-2021-24752 | 1 Catchplugins | 10 Catch Scroll Progress Bar, Catch Sticky Menu, Catch Themes Demo Import and 7 more | 2024-11-21 | 5.7 Medium |
| Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations. | ||||
| CVE-2021-24751 | 1 Generateblocks | 1 Generateblocks | 2024-11-21 | 5.4 Medium |
| The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24748 | 1 Mandsconsulting | 1 Email Before Download | 2024-11-21 | 8.8 High |
| The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues | ||||
| CVE-2021-24747 | 1 Cleverplugins | 1 Seo Booster | 2024-11-21 | 7.2 High |
| The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections. | ||||
| CVE-2021-24746 | 1 Heateor | 1 Sassy Social Share | 2024-11-21 | 6.1 Medium |
| The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue. | ||||
| CVE-2021-24745 | 1 Wpkube | 1 About Author Box | 2024-11-21 | 5.4 Medium |
| The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24744 | 1 Cimatti | 1 Contact Forms | 2024-11-21 | 4.8 Medium |
| The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | ||||
| CVE-2021-24743 | 1 Secondlinethemes | 1 Podcast Subscribe Buttons | 2024-11-21 | 5.4 Medium |
| The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. | ||||
| CVE-2021-24742 | 1 Radiustheme | 1 Logo Slider And Showcase | 2024-11-21 | 6.5 Medium |
| The Logo Slider and Showcase WordPress plugin before 1.3.37 allows Editor users to update the plugin's settings via the rtWLSSettings AJAX action because it uses a nonce for authorisation instead of a capability check. | ||||
| CVE-2021-24741 | 1 Schiocco | 1 Support Board - Chat And Help Desk | 2024-11-21 | 9.8 Critical |
| The Support Board WordPress plugin before 3.3.4 does not escape multiple POST parameters (such as status_code, department, user_id, conversation_id, conversation_status_code, and recipient_id) before using them in SQL statements, leading to SQL injections which are exploitable by unauthenticated users. | ||||
| CVE-2021-24740 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.8 Medium |
| The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24739 | 1 Shapedplugin | 1 Logo Carousel | 2024-11-21 | 8.1 High |
| The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature | ||||
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2024-11-21 | 5.4 Medium |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2021-24737 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | 4.8 Medium |
| The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||