Export limit exceeded: 366692 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (366692 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24298 | 1 Ibenic | 1 Simple Giveaways | 2024-11-21 | 6.1 Medium |
| The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS | ||||
| CVE-2021-24297 | 1 Boostifythemes | 1 Goto | 2024-11-21 | 6.1 Medium |
| The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | ||||
| CVE-2021-24296 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2024-11-21 | 4.8 Medium |
| The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled | ||||
| CVE-2021-24295 | 1 Cleantalk | 1 Spam Protection\, Antispam\, Firewall | 2024-11-21 | 7.5 High |
| It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via the User-Agent Header by manipulating the cookies set by the Spam protection, AntiSpam, FireWall by CleanTalk WordPress plugin before 5.153.4, sending an initial request to obtain a ct_sfw_pass_key cookie and then manually setting a separate ct_sfw_passed cookie and disallowing it from being reset. | ||||
| CVE-2021-24294 | 1 Mlfactory | 1 Dsgvo All In One For Wp | 2024-11-21 | 6.1 Medium |
| The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs. | ||||
| CVE-2021-24293 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | 6.1 Medium |
| In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call get_cart_items via photocrati_ajax , after that the settings[shipping_address][name] is able to inject malicious javascript. | ||||
| CVE-2021-24292 | 1 Wedevs | 1 Happy Addons For Elementor | 2024-11-21 | 5.4 Medium |
| The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter. | ||||
| CVE-2021-24291 | 1 10web | 1 Photo Gallery | 2024-11-21 | 6.1 Medium |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users) | ||||
| CVE-2021-24290 | 1 De-baat | 1 Store Locator Plus | 2024-11-21 | 6.1 Medium |
| There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. | ||||
| CVE-2021-24289 | 1 De-baat | 1 Store Locator Plus | 2024-11-21 | 8.8 High |
| There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. | ||||
| CVE-2021-24288 | 1 Acymailing | 1 Acymailing | 2024-11-21 | 6.1 Medium |
| When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. | ||||
| CVE-2021-24287 | 1 Mooveagency | 1 Select All Categories And Taxonomies\, Change Checkbox To Radio Buttons | 2024-11-21 | 6.1 Medium |
| The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | ||||
| CVE-2021-24286 | 1 Mooveagency | 1 Redirect 404 To Parent | 2024-11-21 | 6.1 Medium |
| The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | ||||
| CVE-2021-24285 | 1 Cars-seller-auto-classifieds-script Project | 1 Cars-seller-auto-classifieds-script | 2024-11-21 | 9.8 Critical |
| The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the order_id POST parameter before using it in a SQL statement, leading to a SQL Injection issue. | ||||
| CVE-2021-24284 | 1 Kaswara Project | 1 Kaswara | 2024-11-21 | 9.8 Critical |
| The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. | ||||
| CVE-2021-24283 | 1 Pickplugins | 1 Accordion | 2024-11-21 | 5.4 Medium |
| The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue. | ||||
| CVE-2021-24282 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 6.3 Medium |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For example, an attacker could use wpcf7r_reset_settings to reset the plugin’s settings, wpcf7r_add_action to add actions to a form, and more. | ||||
| CVE-2021-24281 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 4.3 Medium |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site. | ||||
| CVE-2021-24280 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 8.8 High |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects. | ||||
| CVE-2021-24279 | 1 Querysol | 1 Redirection For Contact Form 7 | 2024-11-21 | 6.5 Medium |
| In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress repository. | ||||