Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24560 | 1 Tipsandtricks-hq | 1 Software License Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24558 | 1 3.7designs | 1 Project Status | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue
|
|||||
| CVE-2021-24556 | 1 Email-subscriber Project | 1 Email-subscriber | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue.
|
|||||
| CVE-2021-24548 | 1 Mimetic | 1 Mimetic Books | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page.
|
|||||
| CVE-2021-24547 | 1 Kn Fix Your Title Project | 1 Kn Fix Your Title | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.
|
|||||
| CVE-2021-24545 | 1 Wp Html Author Bio Project | 1 Wp Html Author Bio | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s.
|
|||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks a ...
Show More |
|||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24541 | 1 Wonderplugin | 1 Wonder Pdf Embed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
|
|||||
| CVE-2021-24540 | 1 Wonderplugin | 1 Wonder Video Embed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.
|
|||||
| CVE-2021-24539 | 1 Dazzlersoftware | 1 Coming Soon\, Under Construction \& Maintenance Mode By Dazzler | 2024-11-21 | 2.1 LOW | 4.8 MEDIUM |
|
The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.
|
|||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend.
|
|||||
| CVE-2021-24534 | 1 Phonetrack | 1 Phonetrack Meu Site Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24533 | 1 Webfactoryltd | 1 Maintenance | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend
|
|||||
| CVE-2021-24531 | 1 Wpcharitable | 1 Charitable | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature.
|
|||||
| CVE-2021-24530 | 1 Alojapro | 1 Alojapro Widget | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24529 | 1 Awplife | 1 Grid Gallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability.
|
|||||
| CVE-2021-24528 | 1 Wpmanageninja | 1 Fluentsmtp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin's settings.
|
|||||
| CVE-2021-24526 | 1 10web | 1 Form Maker | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24525 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute).
|
|||||
| CVE-2021-24524 | 1 Givewp | 1 Givewp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.
|
|||||
| CVE-2021-24523 | 1 Mmrs151 | 1 Daily Prayer Time | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24522 | 1 Properfraction | 1 Profilepress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.
|
|||||
| CVE-2021-24519 | 1 Vikwp | 1 Car Rental Management System | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The VikRentCar Car Rental Management System WordPress plugin before 1.1.10 does not sanitise the 'Text Next to Icon' field when adding or editing a Characteristic, allowing high privilege users such as admin to use XSS payload in it, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24518 | 1 Wpfront | 1 Notification Bar | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24517 | 1 Trumani | 1 Stop Spammers | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24516 | 1 Planso | 1 Planso Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The PlanSo Forms WordPress plugin through 2.6.3 does not escape the title of its Form before outputting it in attributes, allowing high privilege users such as admin to set XSS payload in it, even when the unfiltered_html is disallowed, leading to an Authenticated Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24515 | 1 Origincode | 1 Video Gallery | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Video Gallery WordPress plugin before 1.1.5 does not escape the Title and Description of the videos in a gallery before outputting them in attributes, leading to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24514 | 1 Vfbpro | 1 Visual Form Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Visual Form Builder WordPress plugin before 3.0.4 does not sanitise or escape its Form Name, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24513 | 1 Web-settler | 1 Form Builder | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Form Builder | Create Responsive Contact Forms WordPress plugin before 1.9.8.4 does not sanitise or escape its Form Title, allowing high privilege users such as admin to set Cross-Site Scripting payload in them, even when the unfiltered_html capability is disallowed
|
|||||
| CVE-2021-24512 | 1 Videowhisper | 1 Video Posts Webcam Recorder | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Video Posts Webcam Recorder WordPress plugin before 3.2.4 has an authenticated reflected cross site scripting (XSS) vulnerability in one of the administrative functions for handling deletion of videos.
|
|||||
| CVE-2021-24509 | 1 A3rev | 1 Page View Count | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
|
|||||
| CVE-2021-24508 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.
|
|||||
| CVE-2021-24505 | 1 Madeit | 1 Forms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Forms WordPress plugin before 1.12.3 did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms "Add new" field.
|
|||||
| CVE-2021-24504 | 1 Wplearnmanager | 1 Wp Learn Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP LMS – Best WordPress LMS Plugin WordPress plugin through 1.1.2 does not properly sanitise or validate its User Field Titles, allowing XSS payload to be used in them. Furthermore, no CSRF and capability checks were in place, allowing such attack to be performed either via CSRF or as any user (including unauthenticated)
|
|||||
| CVE-2021-24503 | 1 Thememason | 1 Popular Brand Icons - Simple Icons | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows t ...
Show More |
|||||
| CVE-2021-24498 | 1 Dwbooster | 1 Calendar Event Multi View | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24496 | 1 Community Events Project | 1 Community Events | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
|
|||||