Export limit exceeded: 364891 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364891 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25079 | 1 Crmperks | 1 Contact Form Entries | 2024-11-21 | 6.1 Medium |
| The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the admin page | ||||
| CVE-2021-25078 | 1 Wpaffiliatemanager | 1 Affiliates Manager | 2024-11-21 | 6.1 Medium |
| The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admin viewing the tracked requests. | ||||
| CVE-2021-25077 | 1 Visser | 1 Store Toolkit For Woocommerce | 2024-11-21 | 6.1 Medium |
| The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25076 | 1 Wedevs | 1 Wp User Frontend | 2024-11-21 | 8.8 High |
| The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting | ||||
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2024-11-21 | 3.5 Low |
| The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-25074 | 1 Webp Converter For Media Project | 1 Webp Converter For Media | 2024-11-21 | 6.1 Medium |
| The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue | ||||
| CVE-2021-25073 | 1 Webmaster-source | 1 Wp125 | 2024-11-21 | 8.8 High |
| The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2021-25072 | 1 Nextscripts | 1 Social Networks Auto Poster | 2024-11-21 | 6.5 Medium |
| The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack | ||||
| CVE-2021-25071 | 1 Inpsyde | 1 Akismet Privacy Policies | 2024-11-21 | 6.1 Medium |
| The WordPress plugin through 2.0.1 does not sanitise and escape the translation parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25070 | 1 Stopbadbots | 1 Block And Stop Bad Bots | 2024-11-21 | 9.8 Critical |
| The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue | ||||
| CVE-2021-25068 | 1 Dpl | 1 Sync Woocommerce Product Feed To Google Shopping | 2024-11-21 | 7.2 High |
| The Sync WooCommerce Product feed to Google Shopping WordPress plugin through 1.2.4 uses the 'feed_id' POST parameter which is not properly sanitized for use in a SQL statement, leading to a SQL injection vulnerability in the admin dashboard | ||||
| CVE-2021-25067 | 1 Pluginops | 1 Landing Page | 2024-11-21 | 5.4 Medium |
| The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page. | ||||
| CVE-2021-25066 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 4.8 Medium |
| The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitize and escape some imported data, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-25065 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2024-11-21 | 5.4 Medium |
| The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page. | ||||
| CVE-2021-25064 | 1 Wow-company | 1 Wow Countdowns | 2024-11-21 | 7.2 High |
| The Wow Countdowns WordPress plugin through 3.1.2 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection. | ||||
| CVE-2021-25063 | 1 Cf7skins | 1 Contact Form 7 Skins | 2024-11-21 | 6.1 Medium |
| The Skins for Contact Form 7 WordPress plugin before 2.5.1 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25062 | 1 Villatheme | 1 Orders Tracking For Woocommerce | 2024-11-21 | 6.1 Medium |
| The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25061 | 1 Wpbookingsystem | 1 Wp Booking System | 2024-11-21 | 5.4 Medium |
| The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page. | ||||
| CVE-2021-25060 | 1 Fivestarplugins | 1 Five Star Business Profile And Schema | 2024-11-21 | 5.4 Medium |
| The Five Star Business Profile and Schema WordPress plugin before 2.1.7 does not have any authorisation and CSRF in its bpfwp_welcome_add_contact_page and bpfwp_welcome_set_contact_information AJAX action, allowing any authenticated users, such as subscribers, to call them. Furthermore, due to the lack of sanitisation, it also lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-25058 | 1 The Buffer Button Project | 1 The Buffer Button | 2024-11-21 | 5.4 Medium |
| The Buffer Button WordPress plugin through 1.0 was vulnerable to Authenticated Stored Cross Site Scripting (XSS) within the Twitter username to mention text field. | ||||