Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24495 | 1 Marmoset | 1 Marmoset Viewer | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24494 | 1 Deliciousbrains | 1 Wp Offload Ses Lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin.
|
|||||
| CVE-2021-24489 | 1 Emarketdesign | 1 Request A Quote | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Request a Quote WordPress plugin before 2.3.9 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24488 | 1 Pickplugins | 1 Post Grid | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24486 | 1 Wpbrigade | 1 Simple Social Media Share Buttons | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
|
|||||
| CVE-2021-24485 | 1 Wp-special-textboxes Project | 1 Wp-special-textboxes | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Special Text Boxes WordPress plugin before 5.9.110 does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
|
|||||
| CVE-2021-24482 | 1 Never5 | 1 Related Posts | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24481 | 1 Any Hostname Project | 1 Any Hostname | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it
|
|||||
| CVE-2021-24480 | 1 Event Geek Project | 1 Event Geek | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Event Geek WordPress plugin through 2.5.2 does not sanitise or escape its "Use your own " setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24479 | 1 Drawblog Project | 1 Drawblog | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The DrawBlog WordPress plugin through 0.90 does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24478 | 1 Bookshelf Project | 1 Bookshelf | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24477 | 1 Migrate Users Project | 1 Migrate Users | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack.
|
|||||
| CVE-2021-24476 | 1 Steam Group Viewer Project | 1 Steam Group Viewer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24474 | 1 Awesome Weather Widget Project | 1 Awesome Weather Widget | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Awesome Weather Widget WordPress plugin through 3.0.2 does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability.
|
|||||
| CVE-2021-24471 | 1 Youtube Embed Project | 1 Youtube Embed | 2024-11-21 | 2.1 LOW | 5.4 MEDIUM |
|
The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured).
|
|||||
| CVE-2021-24470 | 1 Yada Wiki Project | 1 Yada Wiki | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24468 | 1 Bozdoz | 1 Leaflet Map | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Leaflet Map WordPress plugin before 3.0.0 does not escape some shortcode attributes before they are used in JavaScript code or HTML, which could allow users with a role as low as Contributors to exploit stored XSS issues
|
|||||
| CVE-2021-24467 | 1 Leaflet Map Project | 1 Leaflet Map | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Leaflet Map WordPress plugin before 3.0.0 does not verify the CSRF nonce when saving its settings, which allows attackers to make a logged in admin update the settings via a Cross-Site Request Forgery attack. This could lead to Cross-Site Scripting issues by either changing the URL of the JavaScript library being used, or using malicious attributions which will be executed in all page with an embed map from the plugin
|
|||||
| CVE-2021-24466 | 1 Verse-o-matic Project | 1 Verse-o-matic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Verse-O-Matic WordPress plugin through 4.1.1 does not have any CSRF checks in place, allowing attackers to make logged in administrators do unwanted actions, such as add/edit/delete arbitrary verses and change the settings. Due to the lack of sanitisation in the settings and verses, this could also lead to Stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24464 | 1 Wpdevart | 1 Youtube Embed\, Playlist And Popup | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24455 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.
|
|||||
| CVE-2021-24454 | 1 Yop-poll | 1 Yop Poll | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.
|
|||||
| CVE-2021-24452 | 1 Boldgrid | 1 W3 Total Cache | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to ...
Show More |
|||||
| CVE-2021-24450 | 1 Properfraction | 1 Profilepress | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24448 | 1 Cozmoslabs | 1 Profile Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24445 | 1 Draftpress | 1 My Site Audit | 2024-11-21 | 3.5 LOW | 5.5 MEDIUM |
|
The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24444 | 1 Taxopress | 1 Taxopress | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24443 | 1 Kainelabs | 1 Youzify | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload ad ...
Show More |
|||||
| CVE-2021-24440 | 1 Fetchdesigns | 1 Sign-up Sheets | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Sign-up Sheets WordPress plugin before 1.0.14 did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard
|
|||||
| CVE-2021-24439 | 1 Prothemedesign | 1 Browser Screenshots | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Browser Screenshots WordPress plugin before 1.7.6 allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the image_class parameter of the browser-shot shortcode was not escaped.
|
|||||
| CVE-2021-24438 | 1 Sharethis | 1 Dashboard For Google Analytics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
|
|||||
| CVE-2021-24437 | 1 Realfavicongenerator | 1 Favicon By Realfavicongenerator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.
|
|||||
| CVE-2021-24436 | 1 Boldgrid | 1 W3 Total Cache | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.
|
|||||
| CVE-2021-24435 | 1 Gambit | 1 Titan Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues
|
|||||
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.
|
|||||
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
|
The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users
|
|||||
| CVE-2021-24429 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.
|
|||||
| CVE-2021-24428 | 1 Yandex | 1 Yandex Turbo | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The RSS for Yandex Turbo WordPress plugin through 1.30 does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24427 | 1 Boldgrid | 1 W3 Total Cache | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The W3 Total Cache WordPress plugin before 2.1.3 did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||