Export limit exceeded: 363308 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363308 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24631 | 1 Unlimited Popups Project | 1 Unlimited Popups | 2024-11-21 | 8.8 High |
| The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection | ||||
| CVE-2021-24630 | 1 Schreikasten Project | 1 Schreikasten | 2024-11-21 | 8.8 High |
| The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author | ||||
| CVE-2021-24629 | 1 Post Content Xmlrpc Project | 1 Post Content Xmlrpc | 2024-11-21 | 7.2 High |
| The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections | ||||
| CVE-2021-24628 | 1 Wow-company | 1 Wow Forms | 2024-11-21 | 7.2 High |
| The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection | ||||
| CVE-2021-24627 | 1 G Auto-hyperlink Project | 1 G Auto-hyperlink | 2024-11-21 | 7.2 High |
| The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection | ||||
| CVE-2021-24626 | 1 Chameleon Css Project | 1 Chameleon Css | 2024-11-21 | 8.8 High |
| The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection | ||||
| CVE-2021-24625 | 1 Web-dorado | 1 Spidercatalog | 2024-11-21 | 7.2 High |
| The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category | ||||
| CVE-2021-24624 | 1 Sonaar | 1 Mp3 Audio Player For Music\, Radio \& Podcast | 2024-11-21 | 4.8 Medium |
| The MP3 Audio Player for Music, Radio & Podcast by Sonaar WordPress plugin before 2.4.2 does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24623 | 1 Ticket-system | 1 Wordpress Advanced Ticket System | 2024-11-21 | 4.8 Medium |
| The WordPress Advanced Ticket System, Elite Support Helpdesk WordPress plugin before 1.0.64 does not sanitize or escape form values before saving to the database or when outputting, which allows high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24622 | 1 Emarketdesign | 1 Customer Service Software \& Support Ticket System | 2024-11-21 | 4.8 Medium |
| The Customer Service Software & Support Ticket System WordPress plugin before 5.10.4 does not sanitize or escape form fields before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24621 | 1 Stratospheredigital | 1 Wp Courses Lms | 2024-11-21 | 4.8 Medium |
| The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-24620 | 1 Simple-e-commerce-shopping-cart Project | 1 Simple-e-commerce-shopping-cart | 2024-11-21 | 8.8 High |
| The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE | ||||
| CVE-2021-24619 | 1 Evona | 1 Per Page Add To Head | 2024-11-21 | 4.8 Medium |
| The Per page add to head WordPress plugin through 1.4.4 does not properly sanitise one of its setting, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues. | ||||
| CVE-2021-24618 | 1 Wbolt | 1 Donate With Qrcode | 2024-11-21 | 5.4 Medium |
| The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack. | ||||
| CVE-2021-24617 | 1 Gamepress Project | 1 Gamepress | 2024-11-21 | 6.1 Medium |
| The GamePress WordPress plugin through 1.1.0 does not escape the op_edit POST parameter before outputting it back in multiple Game Option pages, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24616 | 1 Addtoany | 1 Addtoany Share Buttons | 2024-11-21 | 4.8 Medium |
| The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2024-11-21 | 5.4 Medium |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24614 | 1 Oz-plugin | 1 Book Appointment Online | 2024-11-21 | 4.8 Medium |
| The Book appointment online WordPress plugin before 1.39 does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24613 | 1 Dfactory | 1 Post Views Counter | 2024-11-21 | 4.8 Medium |
| The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24612 | 1 Sociable Project | 1 Sociable | 2024-11-21 | 4.8 Medium |
| The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed | ||||