Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24873 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24871 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24856 | 1 Tammersoft | 1 Shared Files | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24855 | 1 Display Post Metadata Project | 1 Display Post Metadata | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24854 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24850 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields.
|
|||||
| CVE-2021-24841 | 1 Helpful Project | 1 Helpful | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Helpful WordPress plugin before 4.4.59 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24834 | 1 Yop-poll | 1 Yop Poll | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
|
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label.
|
|||||
| CVE-2021-24833 | 1 Yop-poll | 1 Yop Poll | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
|
|||||
| CVE-2021-24830 | 1 Vasyltech | 1 Advanced Access Manager | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24828 | 1 Mlcalc | 1 Mortgage Calculator\/loan Calculator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24826 | 1 Custom Content Shortcode Project | 1 Custom Content Shortcode | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. Please note that such attack is still possible by admin+ in single site blogs by default (but won't be when the unfiltered_html is disallowed)
|
|||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters
|
|||||
| CVE-2021-24821 | 1 Nicdark | 1 Cost Calculator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price Settings (which gets injected on the edit page as well as any page that embeds the calculator using the shortcode), as well as the Text Preview field of a Project (injected on the edit project page)
|
|||||
| CVE-2021-24817 | 1 Ultimate Nofollow Project | 1 Ultimate Nofollow | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scripting attacks
|
|||||
| CVE-2021-24815 | 1 Wpplugin | 1 Accept Donations With Paypal | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Accept Donations with PayPal WordPress plugin before 1.3.2 does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24814 | 1 Welaunch | 1 Wordpress Gdpr\&ccpa | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJ ...
Show More |
|||||
| CVE-2021-24813 | 1 E-dynamics | 1 Events Made Easy | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24812 | 1 Wpdeveloper | 1 Betterlinks | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.
|
|||||
| CVE-2021-24811 | 1 Shoppagewp | 1 Shop Page Wp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24810 | 1 Wp-eventmanager | 1 Wp Event Manager | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Event Manager WordPress plugin before 3.1.23 does not escape some of its Field Editor settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24808 | 1 Wordplus | 1 Better Messages | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24807 | 1 Schiocco | 1 Support Board | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed.
|
|||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24798 | 1 Androidbubbles | 1 Wp Header Images | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24797 | 1 Tickera | 1 Tickera | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
|
|||||
| CVE-2021-24796 | 1 My Tickets Project | 1 My Tickets | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins
|
|||||
| CVE-2021-24794 | 1 Connections-pro | 1 Connections Business Directory | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24793 | 1 Etruel | 1 Wpematico Rss Feed Fetcher | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24792 | 1 Wpeden | 1 Shiny Buttons | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24789 | 1 Flat Preloader Project | 1 Flat Preloader | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24787 | 1 Webventures | 1 Client Invoicing By Sprout Invoices | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24785 | 1 Great-quotes Project | 1 Great-quotes | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
|
|||||
| CVE-2021-24782 | 1 Flex Local Fonts Project | 1 Flex Local Fonts | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24771 | 1 Inspirational Quote Rotator Project | 1 Inspirational Quote Rotator | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24768 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.
|
|||||
| CVE-2021-24765 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24764 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24760 | 1 Pdf Viewer Block For Gutenberg Project | 1 Pdf Viewer Block For Gutenberg | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24759 | 1 Pdf.js Viewer Project | 1 Pdf.js Viewer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks
|
|||||