Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25006 | 1 Molie Instructure Canvas Linking Tool Project | 1 Molie Instructure Canvas Linking Tool | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The MOLIE WordPress plugin through 0.5 does not escape the course_id parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-25005 | 1 Seur Oficial Project | 1 Seur Oficial | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-25001 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_create_products_xml_result parameter before outputting back in the admin dashboard when the Product XML Feeds module is enabled, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-25000 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24999 | 1 Booster | 1 Booster For Woocommerce | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_notice parameter before outputting it back in the admin dashboard when the Pdf Invoicing module is enabled, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24996 | 1 Wki | 1 Idpay For Contact Form 7 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The IDPay for Contact Form 7 WordPress plugin through 2.1.2 does not sanitise and escape the idpay_error parameter before outputting it back in the page leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24995 | 1 Html5 Responsive Faq Project | 1 Html5 Responsive Faq | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The HTML5 Responsive FAQ WordPress plugin through 2.8.5 does not properly sanitise and escape some of its settings, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24994 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24992 | 1 Buttonizer | 1 Buttonizer | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Smart Floating / Sticky Buttons WordPress plugin before 2.5.5 does not sanitise and escape some parameter before outputting them in attributes and page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24991 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 2.10.5 does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard
|
|||||
| CVE-2021-24988 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter.
|
|||||
| CVE-2021-24987 | 1 Heateor | 1 Super Socializer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not sanitise and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24986 | 1 Pickplugins | 1 Post Grid | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Post Grid WordPress plugin before 2.1.16 does not escape the keyword parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in pages containing a Post Grid with a search form
|
|||||
| CVE-2021-24985 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24984 | 1 Wpfront | 1 Wpfront User Role Editor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does not sanitise and escape the changes-saved parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24983 | 1 Asset Cleanup\ | 1 Page Speed Booster Project | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not sanitise and escape POSted parameters sent to the wpassetcleanup_fetch_active_plugins_icons AJAX action (available to admin users), leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24982 | 1 Childtheme-generator | 1 Child Theme Generator | 2024-11-21 | 3.5 LOW | 6.4 MEDIUM |
|
The Child Theme Generator WordPress plugin through 2.2.7 does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard
|
|||||
| CVE-2021-24980 | 1 Gwolle Guestbook Project | 1 Gwolle Guestbook | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Gwolle Guestbook WordPress plugin before 4.2.0 does not sanitise and escape the gwolle_gb_user_email parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue in an admin page
|
|||||
| CVE-2021-24979 | 1 Strangerstudios | 1 Paid Memberships Pro | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24976 | 1 Wbolt | 1 Smart Seo Tool | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and escape the search parameter before outputting it back in an attribute when the TDK optimisation setting is enabled, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24975 | 1 Nextscripts | 1 Social Networks Auto Poster | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.24 does not sanitise and escape logged requests before outputting them in the related admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24974 | 1 Adtribes | 1 Product Feed Pro For Woocommerce | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.
|
|||||
| CVE-2021-24973 | 1 Geminilabs | 1 Site Reviews | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin
|
|||||
| CVE-2021-24972 | 1 Fatcatapps | 1 Pixel Cat | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24971 | 1 Magnigenie | 1 Wp Responsive Menu | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend
|
|||||
| CVE-2021-24967 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads
|
|||||
| CVE-2021-24965 | 1 Fivestarplugins | 1 Five Star Restaurant Reservations | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins
|
|||||
| CVE-2021-24963 | 1 Litespeedtech | 1 Litespeed Cache | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24961 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24958 | 1 Mekshq | 1 Meks Easy Photo Feed Widget | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them
|
|||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24955 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24954 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24953 | 1 Tinywebgallery | 1 Advanced Iframe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24944 | 1 Cusmin | 1 Absolutely Glamorous Custom Admin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24940 | 1 Woocommerce | 1 Persian-woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24939 | 1 Profilepress | 1 Loginwp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue
|
|||||
| CVE-2021-24937 | 1 Asset Cleanup\ | 1 Page Speed Booster Project | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue
|
|||||