Export limit exceeded: 364911 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364911 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25015 | 1 Mycred | 1 Mycred | 2024-11-21 | 6.1 Medium |
| The myCred WordPress plugin before 2.4 does not sanitise and escape the search query before outputting it back in the history dashboard page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2024-11-21 | 3.5 Low |
| The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. | ||||
| CVE-2021-25013 | 1 Themeum | 1 Qubely | 2024-11-21 | 6.5 Medium |
| The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts | ||||
| CVE-2021-25012 | 1 Popozure | 1 Pz-linkcard | 2024-11-21 | 6.1 Medium |
| The Pz-LinkCard WordPress plugin through 2.4.4.4 does not sanitise and escape multiple parameters before outputting them back in admin dashboard pages, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-25011 | 1 Wpgooglemap | 1 Wp Google Map | 2024-11-21 | 5.7 Medium |
| The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. | ||||
| CVE-2021-25010 | 1 Postsnippets | 1 Post Snippets | 2024-11-21 | 9.6 Critical |
| The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-25009 | 1 Correosexpress Project | 1 Correosexpress | 2024-11-21 | 5.3 Medium |
| The CorreosExpress WordPress plugin through 2.6.0 generates log files which are publicly accessible, and contain sensitive information such as sender/receiver names, phone numbers, physical and email addresses | ||||
| CVE-2021-25008 | 1 Codesnippets | 1 Code Snippets | 2024-11-21 | 6.1 Medium |
| The Code Snippets WordPress plugin before 2.14.3 does not escape the snippets-safe-mode parameter before outputting it back in attributes, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25007 | 1 Molie Instructure Canvas Linking Tool Project | 1 Molie Instructure Canvas Linking Tool | 2024-11-21 | 9.8 Critical |
| The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL Injection | ||||
| CVE-2021-25006 | 1 Molie Instructure Canvas Linking Tool Project | 1 Molie Instructure Canvas Linking Tool | 2024-11-21 | 6.1 Medium |
| The MOLIE WordPress plugin through 0.5 does not escape the course_id parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25005 | 1 Seur Oficial Project | 1 Seur Oficial | 2024-11-21 | 4.8 Medium |
| The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-25004 | 1 Seur Oficial Project | 1 Seur Oficial | 2024-11-21 | 4.9 Medium |
| The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page. | ||||
| CVE-2021-25003 | 1 Wptaskforce | 1 Wpcargo Track \& Trace | 2024-11-21 | 9.8 Critical |
| The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE | ||||
| CVE-2021-25002 | 1 Tipsacarrier Project | 1 Tipsacarrier | 2024-11-21 | 7.5 High |
| The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL | ||||
| CVE-2021-25001 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | 6.1 Medium |
| The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-25000 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | 6.1 Medium |
| The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24999 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | 6.1 Medium |
| The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting | ||||
| CVE-2021-24998 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2024-11-21 | 7.5 High |
| The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation. | ||||
| CVE-2021-24997 | 1 Wp-guppy | 1 Wp Guppy | 2024-11-21 | 6.5 Medium |
| The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user | ||||
| CVE-2021-24996 | 1 Wki | 1 Idpay For Contact Form 7 | 2024-11-21 | 6.1 Medium |
| The IDPay for Contact Form 7 WordPress plugin through 2.1.2 does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting | ||||