Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24935 | 1 Wp Google Fonts Project | 1 Wp Google Fonts | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24934 | 1 Yellowpencil | 1 Visual Css Style Editor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24933 | 1 Bootstrapped | 1 Dynamic Widgets | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24932 | 1 Cm-wp | 1 Auto Featured Image | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24930 | 1 Booking-wp-plugin | 1 Bookly | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24927 | 1 My Calendar Project | 1 My Calendar | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24926 | 1 Domaincheckplugin | 1 Domain Check | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24925 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24924 | 1 Email Log Project | 1 Email Log | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24923 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24921 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24920 | 1 Statcounter | 1 Statcounter | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24918 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages.
|
|||||
| CVE-2021-24912 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin
|
|||||
| CVE-2021-24911 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting.
|
|||||
| CVE-2021-24910 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 6.1 MEDIUM |
|
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24909 | 1 Navz | 1 Acf Photo Gallery Field | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24908 | 1 Wpchill | 1 Check \& Log Email | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
|
The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24907 | 1 Wpeverest | 1 Everest Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24904 | 1 Lenderd | 1 Mortgage Calculators Wp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24903 | 1 Codeasily | 1 Grand Flagallery | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24902 | 1 Typebot | 1 Typebot | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Typebot | Build beautiful conversational forms WordPress plugin before 1.4.3 does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24901 | 1 Securemoz | 1 Security Audit | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24900 | 1 Wpmanageninja | 1 Ninja Tables | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24899 | 1 Media-tags Project | 1 Media-tags | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed.
|
|||||
| CVE-2021-24898 | 1 Editable-table Project | 1 Editable Table | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The EditableTable WordPress plugin through 0.1.4 does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24897 | 1 Viitorcloud | 1 Add Subtitle | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24896 | 1 Calderaforms | 1 Caldera Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24895 | 1 Webbigt | 1 Cybersoldier | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24891 | 1 Elementor | 1 Website Builder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue.
|
|||||
| CVE-2021-24888 | 1 Imageboss | 1 Imageboss | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24885 | 1 Yop-poll | 1 Yop-poll | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24884 | 1 Strategy11 | 1 Formidable Form Builder | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspectio ...
Show More |
|||||
| CVE-2021-24883 | 1 Essentialplugin | 1 Popup Anything | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24882 | 1 Tribulant | 1 Slideshow Gallery | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24880 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24878 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24876 | 1 Roundupwp | 1 Registrations For The Events Calendar | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting
|
|||||
| CVE-2021-24875 | 1 Implecode | 1 Ecommerce Product Catalog | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24874 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
|
|||||