Export limit exceeded: 363508 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363508 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363508 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24565 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2024-11-21 | 8.8 High |
| The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. | ||||
| CVE-2021-24564 | 1 Wpfront | 1 Scroll Top | 2024-11-21 | 5.4 Medium |
| The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24563 | 1 Frontend Uploader Project | 1 Frontend Uploader | 2024-11-21 | 6.1 Medium |
| The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly | ||||
| CVE-2021-24562 | 1 Lifterlms | 1 Lifterlms | 2024-11-21 | 7.5 High |
| The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades | ||||
| CVE-2021-24560 | 1 Tipsandtricks-hq | 1 Software License Manager | 2024-11-21 | 6.1 Medium |
| The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24558 | 1 3.7designs | 1 Project Status | 2024-11-21 | 5.4 Medium |
| The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue | ||||
| CVE-2021-24557 | 1 Nimble3 | 1 M-vslider | 2024-11-21 | 7.2 High |
| The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role. | ||||
| CVE-2021-24556 | 1 Email-subscriber Project | 1 Email-subscriber | 2024-11-21 | 6.1 Medium |
| The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue. | ||||
| CVE-2021-24555 | 1 Roosty | 1 Diary-availability-calendar | 2024-11-21 | 8.8 High |
| The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user. | ||||
| CVE-2021-24554 | 1 Freelancetoindia | 1 Paytm-pay | 2024-11-21 | 7.2 High |
| The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue | ||||
| CVE-2021-24553 | 1 Timeline Calendar Project | 1 Timeline Calendar | 2024-11-21 | 7.2 High |
| The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin | ||||
| CVE-2021-24552 | 1 Simple Events Calendar Project | 1 Simple Events Calendar | 2024-11-21 | 7.2 High |
| The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue | ||||
| CVE-2021-24551 | 1 Edit Comments Project | 1 Edit Comments | 2024-11-21 | 9.8 Critical |
| The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue | ||||
| CVE-2021-24550 | 1 Broken Link Manager Project | 1 Broken Link Manager | 2024-11-21 | 7.2 High |
| The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue | ||||
| CVE-2021-24549 | 1 Aceide Project | 1 Aceide | 2024-11-21 | 4.9 Medium |
| The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack. | ||||
| CVE-2021-24548 | 1 Mimetic | 1 Mimetic Books | 2024-11-21 | 5.4 Medium |
| The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. | ||||
| CVE-2021-24547 | 1 Kn Fix Your Title Project | 1 Kn Fix Your Title | 2024-11-21 | 5.4 Medium |
| The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | ||||
| CVE-2021-24546 | 1 Extendify | 1 Editorskit | 2024-11-21 | 8.8 High |
| The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code | ||||
| CVE-2021-24545 | 1 Wp Html Author Bio Project | 1 Wp Html Author Bio | 2024-11-21 | 5.4 Medium |
| The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s. | ||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2024-11-21 | 5.4 Medium |
| The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. | ||||