Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24756 | 1 Wp System Log Project | 1 Wp System Log | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs.
|
|||||
| CVE-2021-24751 | 1 Generateblocks | 1 Generateblocks | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24746 | 1 Heateor | 1 Sassy Social Share | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24745 | 1 Wpkube | 1 About Author Box | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24744 | 1 Cimatti | 1 Contact Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
|
|||||
| CVE-2021-24743 | 1 Secondlinethemes | 1 Podcast Subscribe Buttons | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS.
|
|||||
| CVE-2021-24740 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2021-24737 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24736 | 1 Tammersoft | 1 Shared Files | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24734 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24732 | 1 Dearhive | 1 Dearflip | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The PDF Flipbook, 3D Flipbook WordPress – DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
|
|||||
| CVE-2021-24729 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase.
|
|||||
| CVE-2021-24724 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s
|
|||||
| CVE-2021-24723 | 1 Wpreactions | 1 Wp Reactions Lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.
|
|||||
| CVE-2021-24722 | 1 Motopress | 1 Restaurant Menu | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24720 | 1 Ayecode | 1 Geodirectory | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS).
|
|||||
| CVE-2021-24719 | 1 Kriesi | 1 Enfold | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
|
|||||
| CVE-2021-24718 | 1 Reputeinfosystems | 1 Contact Form\, Survey \& Popup Form Plugin For Wordpress - Arforms Form Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24716 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.
|
|||||
| CVE-2021-24715 | 1 Wp Sitemap Page Project | 1 Wp Sitemap Page | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24714 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24712 | 1 Dwbooster | 1 Appointment Hour Booking | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.
|
|||||
| CVE-2021-24710 | 1 Print-o-matic Project | 1 Print-o-matic | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24709 | 1 Awplife | 1 Weather Effect | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24708 | 1 Wp All Export Project | 1 Wp All Export | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24707 | 1 Nd-learning Project | 1 Nd-learning | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24706 | 1 Qwizcards Project | 1 Qwizcards | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Qwizcards – online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24702 | 1 Thimpress | 1 Learnpress | 2024-11-21 | 2.1 LOW | 4.8 MEDIUM |
|
The LearnPress WordPress plugin before 4.1.3.1 does not properly sanitize or escape various inputs within course settings, which could allow high privilege users to perform Cross-Site Scripting attacks when the unfiltred_html capability is disallowed
|
|||||
| CVE-2021-24701 | 1 Quiz Tool Lite Project | 1 Quiz Tool Lite | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Quiz Tool Lite WordPress plugin through 2.3.15 does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24700 | 1 Incsub | 1 Forminator | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24699 | 1 Easy Media Download Project | 1 Easy Media Download | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24697 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the 1) sdm_active_tab GET parameter and 2) sdm_stats_start_date/sdm_stats_end_date POST parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24694 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Simple Download Monitor WordPress plugin before 3.9.11 could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attack via 1) "color" or "css_class" argument of sdm_download shortcode, 2) "class" or "placeholder" argument of sdm_search_form shortcode.
|
|||||
| CVE-2021-24693 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2024-11-21 | 6.0 MEDIUM | 9.0 CRITICAL |
|
The Simple Download Monitor WordPress plugin before 3.9.5 does not escape the "File Thumbnail" post meta before outputting it in some pages, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. Given the that XSS is triggered even when the Download is in a review state, contributor could make JavaScript code execute in a context of a reviewer such as admin and make them create a rogue admin account, or install a malicious plugin
|
|||||
| CVE-2021-24691 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24690 | 1 Kibokolabs | 1 Chained Quiz | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.
|
|||||
| CVE-2021-24687 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24686 | 1 Benbodhi | 1 Svg Support | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24685 | 1 Flat Preloader Project | 1 Flat Preloader | 2024-11-21 | 5.0 MEDIUM | 5.4 MEDIUM |
|
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
|
|||||