Export limit exceeded: 364935 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (364935 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24866 | 1 Wpdataaccess | 1 Wp Data Access | 2024-11-21 | 9.8 Critical |
| The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion | ||||
| CVE-2021-24865 | 1 Acf-extended | 1 Advanced Custom Fields\ | 2024-11-21 | 7.2 High |
| The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue | ||||
| CVE-2021-24864 | 1 Wpscan | 1 Wp Cloudy | 2024-11-21 | 8.8 High |
| The WP Cloudy, weather plugin WordPress plugin before 4.4.9 does not escape the post_id parameter before using it in a SQL statement in the admin dashboard, leading to a SQL Injection issue | ||||
| CVE-2021-24862 | 1 Metagauss | 1 Registrationmagic | 2024-11-21 | 7.2 High |
| The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue | ||||
| CVE-2021-24861 | 1 Quotes Collection Project | 1 Quotes Collection | 2024-11-21 | 7.2 High |
| The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection | ||||
| CVE-2021-24860 | 1 Bannersky | 1 Bsk Pdf Manager | 2024-11-21 | 7.2 High |
| The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue | ||||
| CVE-2021-24859 | 1 User Meta Shortcodes Project | 1 User Meta Shortcodes | 2024-11-21 | 4.3 Medium |
| The User Meta Shortcodes WordPress plugin through 0.5 registers a shortcode that allows any user with a role as low as contributor to access other users metadata by specifying the user login as a parameter. This makes the WP instance vulnerable to data extrafiltration, including password hashes | ||||
| CVE-2021-24858 | 1 Accesspressthemes | 1 Wp Cookie User Info | 2024-11-21 | 7.2 High |
| The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection | ||||
| CVE-2021-24857 | 1 Nocean | 1 Totop Link | 2024-11-21 | 9.8 Critical |
| The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain. | ||||
| CVE-2021-24856 | 1 Tammersoft | 1 Shared Files | 2024-11-21 | 4.8 Medium |
| The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24855 | 1 Display Post Metadata Project | 1 Display Post Metadata | 2024-11-21 | 5.4 Medium |
| The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24854 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 5.4 Medium |
| The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2021-24853 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 4.3 Medium |
| The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects | ||||
| CVE-2021-24852 | 1 Mousewheel Smooth Scroll Project | 1 Mousewheel Smooth Scroll | 2024-11-21 | 6.5 Medium |
| The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2021-24851 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 4.3 Medium |
| The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue. | ||||
| CVE-2021-24850 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 5.4 Medium |
| The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields. | ||||
| CVE-2021-24849 | 1 Wclovers | 1 Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible | 2024-11-21 | 9.8 Critical |
| The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections | ||||
| CVE-2021-24848 | 1 Frenify | 1 Mediamatic | 2024-11-21 | 8.8 High |
| The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin before 2.8.1, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection | ||||
| CVE-2021-24847 | 1 Wp-buy | 1 Seo Redirection-301 Redirect Manager | 2024-11-21 | 8.8 High |
| The importFromRedirection AJAX action of the SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 8.2, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed | ||||
| CVE-2021-24846 | 1 Ni Woocommerce Custom Order Status Project | 1 Ni Woocommerce Custom Order Status | 2024-11-21 | 8.8 High |
| The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber | ||||