Export limit exceeded: 363715 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363715 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363715 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24259 | 1 Webtechstreet | 1 Elementor Addon Elements | 2024-11-21 | 5.4 Medium |
| The “Elementor Addon Elements” WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | ||||
| CVE-2021-24258 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2024-11-21 | 5.4 Medium |
| The Elements Kit Lite and Elements Kit Pro WordPress Plugins before 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | ||||
| CVE-2021-24257 | 1 Leap13 | 1 Premium Addons For Elementor | 2024-11-21 | 5.4 Medium |
| The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | ||||
| CVE-2021-24256 | 1 Brainstormforce | 1 Elementor - Header\, Footer \& Blocks Template | 2024-11-21 | 5.4 Medium |
| The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method. | ||||
| CVE-2021-24255 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2024-11-21 | 5.4 Medium |
| The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method. | ||||
| CVE-2021-24254 | 1 College Publisher Import Project | 1 College Publisher Import | 2024-11-21 | 7.2 High |
| The College publisher Import WordPress plugin through 0.1 does not check for the uploaded CSV file to import, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. Due to the lack of CSRF check, the issue could also be exploited via a CSRF attack. | ||||
| CVE-2021-24253 | 1 Classyfrieds Project | 1 Classyfrieds | 2024-11-21 | 8.8 High |
| The Classyfrieds WordPress plugin through 3.8 does not properly check the uploaded file when an authenticated user adds a listing, only checking the content-type in the request. This allows any authenticated user to upload arbitrary PHP files via the Add Listing feature of the plugin, leading to RCE. | ||||
| CVE-2021-24252 | 1 Wp-eventmanager | 1 Event Banner | 2024-11-21 | 7.2 High |
| The Event Banner WordPress plugin through 1.3 does not verify the uploaded image file, allowing admin accounts to upload arbitrary files, such as .exe, .php, or others executable, leading to RCE. Due to the lack of CSRF check, the issue can also be used via such vector to achieve the same result, or via a LFI as authorisation checks are missing (but would require WP to be loaded) | ||||
| CVE-2021-24251 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 Medium |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example) | ||||
| CVE-2021-24250 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 5.4 Medium |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin. | ||||
| CVE-2021-24249 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.5 Medium |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc | ||||
| CVE-2021-24248 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 7.2 High |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 did not properly check for imported files, forbidding certain extension via a blacklist approach, allowing administrator to import an archive with a .php4 inside for example, leading to RCE | ||||
| CVE-2021-24247 | 1 Mooveagency | 1 Contact Form Check Tester | 2024-11-21 | 5.4 Medium |
| The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin. | ||||
| CVE-2021-24246 | 1 Purethemes | 2 Workscout, Workscout Core | 2024-11-21 | 5.4 Medium |
| The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues | ||||
| CVE-2021-24245 | 1 Trumani | 1 Stop Spammers | 2024-11-21 | 6.1 Medium |
| The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue. | ||||
| CVE-2021-24244 | 1 Wpbakery Page Builder Clipboard Project | 1 Wpbakery Page Builder Clipboard | 2024-11-21 | 6.5 Medium |
| An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email). | ||||
| CVE-2021-24243 | 1 Wpbakery Page Builder Clipboard Project | 1 Wpbakery Page Builder Clipboard | 2024-11-21 | 5.4 Medium |
| An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages. | ||||
| CVE-2021-24242 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 3.8 Low |
| The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file | ||||
| CVE-2021-24241 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-11-21 | 6.1 Medium |
| The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page. | ||||
| CVE-2021-24240 | 1 Aivahthemes | 1 Business Hours Pro | 2024-11-21 | 9.8 Critical |
| The Business Hours Pro WordPress plugin through 5.5.0 allows a remote attacker to upload arbitrary files using its manual update functionality, leading to an unauthenticated remote code execution vulnerability. | ||||