Export limit exceeded: 364910 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 364910 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364910 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25035 | 1 Revmakx | 1 Backup And Staging By Wp Time Capsule | 2024-11-21 | 6.1 Medium |
| The Backup and Staging by WP Time Capsule WordPress plugin before 1.22.7 does not sanitise and escape the error parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25034 | 1 Wp User Project | 1 Wp User | 2024-11-21 | 6.1 Medium |
| The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25033 | 1 Noptin | 1 Noptin | 2024-11-21 | 6.1 Medium |
| The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue | ||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2024-11-21 | 9.8 Critical |
| The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role. | ||||
| CVE-2021-25031 | 1 Oxilab | 1 Image Hover Effects Ultimate | 2024-11-21 | 6.1 Medium |
| The Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) WordPress plugin before 9.7.1 does not escape the effects parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25030 | 1 E-dynamics | 1 Events Made Easy | 2024-11-21 | 8.8 High |
| The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks | ||||
| CVE-2021-25029 | 1 Cluevo | 1 Learning Management System | 2024-11-21 | 4.8 Medium |
| The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-25028 | 1 Tri | 1 Event Tickets | 2024-11-21 | 6.1 Medium |
| The Event Tickets WordPress plugin before 5.2.2 does not validate the tribe_tickets_redirect_to parameter before redirecting the user to the given value, leading to an arbitrary redirect issue | ||||
| CVE-2021-25027 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2024-11-21 | 6.1 Medium |
| The PowerPack Addons for Elementor WordPress plugin before 2.6.2 does not escape the tab parameter before outputting it back in an attribute in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25026 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 5.5 Medium |
| The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-25025 | 1 Theeventscalendar | 1 Eventcalendar | 2024-11-21 | 4.3 Medium |
| The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events | ||||
| CVE-2021-25024 | 1 Theeventscalendar | 1 Eventcalendar | 2024-11-21 | 6.1 Medium |
| The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues | ||||
| CVE-2021-25023 | 1 Optimocha | 1 Speed Booster Pack | 2024-11-21 | 7.2 High |
| The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection | ||||
| CVE-2021-25021 | 1 Ffw | 1 Optimize My Google Fonts | 2024-11-21 | 4.9 Medium |
| The OMGF | Host Google Fonts Locally WordPress plugin before 4.5.12 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin | ||||
| CVE-2021-25020 | 1 Daan | 1 Complete Analytics Optimization Suite | 2024-11-21 | 4.9 Medium |
| The CAOS | Host Google Analytics Locally WordPress plugin before 4.1.9 does not validate the cache directory setting, allowing high privilege users to use a path traversal vector and delete arbitrary folders when uninstalling the plugin | ||||
| CVE-2021-25019 | 1 Squirrly | 1 Seo Plugin By Squirrly Seo | 2024-11-21 | 6.1 Medium |
| The SEO Plugin by Squirrly SEO WordPress plugin before 11.1.12 does not escape the type parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25018 | 1 Najeebmedia | 1 Ppom For Woocommerce | 2024-11-21 | 5.4 Medium |
| The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues | ||||
| CVE-2021-25017 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 6.1 Medium |
| The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25016 | 1 Premio | 2 Chaty, Chaty Pro | 2024-11-21 | 6.1 Medium |
| The Chaty WordPress plugin before 2.8.3 and Chaty Pro WordPress plugin before 2.8.2 do not sanitise and escape the search parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-25015 | 1 Mycred | 1 Mycred | 2024-11-21 | 6.1 Medium |
| The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue | ||||