Total
8760 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend.
|
|||||
| CVE-2021-24504 | 1 Wplearnmanager | 1 Wp Learn Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
|
|||||
| CVE-2021-24500 | 1 Amentotech | 1 Workreap | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.
|
|||||
| CVE-2021-24491 | 1 Fileviewer Project | 1 Fileviewer | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack
|
|||||
| CVE-2021-24490 | 1 Email Artillery Project | 1 Email Artillery | 2024-11-21 | 6.0 MEDIUM | 6.8 MEDIUM |
|
The Email Artillery (MASS EMAIL) WordPress plugin through 4.1 does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS
|
|||||
| CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24477 | 1 Migrate Users Project | 1 Migrate Users | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack.
|
|||||
| CVE-2021-24467 | 1 Leaflet Map Project | 1 Leaflet Map | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin
|
|||||
| CVE-2021-24466 | 1 Verse-o-matic Project | 1 Verse-o-matic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24446 | 1 Wpchill | 1 Remove Footer Credit | 2024-11-21 | 6.0 MEDIUM | 5.4 MEDIUM |
|
The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack of sanitisation
|
|||||
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.
|
|||||
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users
|
|||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack
|
|||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues
|
|||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with X ...
Show More |
|||||
| CVE-2021-24380 | 1 Shantz Wordpress Qotd Project | 1 Shantz Wordpress Qotd | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values.
|
|||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.
|
|||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them.
|
|||||
| CVE-2021-24328 | 1 Clogica | 1 Wp Login Security And History | 2024-11-21 | 3.5 LOW | 6.2 MEDIUM |
|
The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well
|
|||||
| CVE-2021-24324 | 1 Clogica | 1 All 404 Redirect To Homepage | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24272 | 1 Codeinitiator | 1 Fitness Calculators | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24251 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example)
|
|||||
| CVE-2021-24249 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc
|
|||||
| CVE-2021-24231 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link.
|
|||||
| CVE-2021-24230 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content.
|
|||||
| CVE-2021-24218 | 1 Facebook | 1 Facebook | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved.
|
|||||
| CVE-2021-24179 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE.
|
|||||
| CVE-2021-24178 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24174 | 1 Database-backups Project | 1 Database-backups | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
|
The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups.
|
|||||
| CVE-2021-24173 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24172 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current .
|
|||||
| CVE-2021-24166 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
|
The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection.
|
|||||
| CVE-2021-24162 | 1 Expresstech | 1 Responsive Menu | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site.
|
|||||
| CVE-2021-24161 | 1 Expresstech | 1 Responsive Menu | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site.
|
|||||
| CVE-2021-24159 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.
|
|||||
| CVE-2021-24133 | 1 Activecampaign | 1 Activecampaign | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account.
|
|||||
| CVE-2021-23849 | 1 Bosch | 14 Aviotec, Aviotec Firmware, Cpp13 and 11 more | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
|
A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or opening a malicious website while being logged in into the camera.
|
|||||
| CVE-2021-23431 | 1 Joplinapp | 1 Joplin | 2024-11-21 | 6.8 MEDIUM | 5.4 MEDIUM |
|
The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms.
|
|||||