Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24613 | 1 Dfactory | 1 Post Views Counter | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24612 | 1 Sociable Project | 1 Sociable | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24611 | 1 Keyword Meta Project | 1 Keyword Meta | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack.
|
|||||
| CVE-2021-24610 | 1 Cozmoslabs | 1 Translatepress | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24609 | 1 Wp Mapa Politico Espana Project | 1 Wp Mapa Politico Espana | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24608 | 1 Strategy11 | 1 Formidable Form Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24607 | 1 Wooassist | 1 Storefront Footer Text | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed.
|
|||||
| CVE-2021-24605 | 1 Custom Post View Generator Project | 1 Custom Post View Generator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The create_post_page AJAX action of the Custom Post View Generator WordPress plugin through 0.4.6 (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue
|
|||||
| CVE-2021-24604 | 1 Offshorewebmaster | 1 Availability Calendar | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24603 | 1 Geminilabs | 1 Site Reviews | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed
|
|||||
| CVE-2021-24601 | 1 Wpfront | 1 Wpfront Notification Bar | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WPFront Notification Bar WordPress plugin before 2.1.0.08087 does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24600 | 1 Wp Dialog Project | 1 Wp Dialog | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP Dialog WordPress plugin through 1.2.5.5 does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24599 | 1 Wp-webhooks | 1 Email Encoder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.
|
|||||
| CVE-2021-24598 | 1 Wpshopmart | 1 Testimonial Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24597 | 1 You-shang Project | 1 You-shang | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used
|
|||||
| CVE-2021-24596 | 1 Itservicejung | 1 Youforms-free-for-copecart | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack.
|
|||||
| CVE-2021-24594 | 1 Gtranslate | 1 Google Language Translator | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24593 | 1 Business Hours Indicator Project | 1 Business Hours Indicator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Business Hours Indicator WordPress plugin before 2.3.5 does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24592 | 1 Yoohooplugins | 1 Sitewide Notice | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24591 | 1 Dna88 | 1 Highlight | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Highlight WordPress plugin before 0.9.3 does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24590 | 1 Gdprinfo | 1 Cookie Notice \& Consent Banner For Gdpr \& Ccpa Compliance | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Cookie Notice & Consent Banner for GDPR & CCPA Compliance WordPress plugin before 1.7.2 does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options.
|
|||||
| CVE-2021-24588 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page.
|
|||||
| CVE-2021-24587 | 1 Zeesweb | 1 Splash Header | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24586 | 1 Evona | 1 Per Page Add To Head | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used.
|
|||||
| CVE-2021-24584 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to St ...
Show More |
|||||
| CVE-2021-24582 | 1 Thinktwit Project | 1 Thinktwit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24581 | 1 Blue-admin Project | 1 Blue-admin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.
|
|||||
| CVE-2021-24578 | 1 Themeboy | 1 Sportspress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24577 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS.
|
|||||
| CVE-2021-24576 | 1 Techearty | 1 Easy Accordion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion.
|
|||||
| CVE-2021-24574 | 1 Simple Banner Project | 1 Simple Banner | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24571 | 1 Harmonicdesign | 1 Hd Quiz | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.
|
|||||
| CVE-2021-24569 | 1 Hu-manity | 1 Cookie Notice \& Compliance For Gdpr \/ Ccpa | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24568 | 1 Addtoany | 1 Addtoany Share Buttons | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24567 | 1 Nickmomrik | 1 Simple Post | 2024-11-21 | N/A | 5.4 MEDIUM |
|
The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.
|
|||||
| CVE-2021-24565 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24564 | 1 Wpfront | 1 Scroll Top | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24563 | 1 Frontend Uploader Project | 1 Frontend Uploader | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
|
|||||