Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24426 | 1 Web-dorado | 1 Backup-wd | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Backup by 10Web – Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24425 | 1 Premio | 1 Mystickymenu | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)
|
|||||
| CVE-2021-24424 | 1 Webfactoryltd | 1 Wp Reset | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24423 | 1 Updraftplus | 1 Updraftplus | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24421 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24420 | 1 Emarketdesign | 1 Request A Quote | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Request a Quote WordPress plugin before 2.3.4 did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table.
|
|||||
| CVE-2021-24419 | 1 Wp Youtube Lyte Project | 1 Wp Youtube Lyte | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The WP YouTube Lyte WordPress plugin before 1.7.16 did not sanitise or escape its lyte_yt_api_key and lyte_notification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues.
|
|||||
| CVE-2021-24418 | 1 Smooth Scroll Page Up\/down Buttons Project | 1 Smooth Scroll Page Up\/down Buttons | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Smooth Scroll Page Up/Down Buttons WordPress plugin through 1.4 does not properly sanitise and validate its psb_positioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog
|
|||||
| CVE-2021-24416 | 1 Bplugins | 1 Streamcast Radio Player | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
|
|||||
| CVE-2021-24415 | 1 Bplugins | 1 Polo Video Gallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
|
|||||
| CVE-2021-24414 | 1 Video Player For Youtube Project | 1 Video Player For Youtube | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
|
|||||
| CVE-2021-24413 | 1 Bplugins | 1 Easy Twitter Feed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
|
|||||
| CVE-2021-24412 | 1 Bplugins | 1 Html5 Audio Player | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode
|
|||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack
|
|||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues
|
|||||
| CVE-2021-24409 | 1 Plugin-planet | 1 Prismatic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
|
|||||
| CVE-2021-24408 | 1 Plugin-planet | 1 Prismatic | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
|
|||||
| CVE-2021-24407 | 1 Tielabs | 1 Jannah | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability.
|
|||||
| CVE-2021-24389 | 1 Chimpgroup | 1 Foodbakery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with X ...
Show More |
|||||
| CVE-2021-24387 | 1 Contempothemes | 1 Real Estate 7 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context
|
|||||
| CVE-2021-24386 | 1 Kubiq | 1 Wp Svg Images | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended.
|
|||||
| CVE-2021-24383 | 1 Codecabin | 1 Wp Go Maps | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue
|
|||||
| CVE-2021-24382 | 1 Nextendweb | 1 Smart Slider | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed.
|
|||||
| CVE-2021-24381 | 1 Ninjaforms | 1 Contact Form | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
|
|||||
| CVE-2021-24378 | 1 Autoptimize | 1 Autoptimize | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory.
|
|||||
| CVE-2021-24373 | 1 Getastra | 1 Wp Hardening | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24372 | 1 Getastra | 1 Wp Hardening | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24369 | 1 Ayecode | 1 Getpaid | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation.
|
|||||
| CVE-2021-24368 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link
|
|||||
| CVE-2021-24367 | 1 Wp Config File Editor Project | 1 Wp Config File Editor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The WP Config File Editor WordPress plugin through 1.7.1 was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2021-24365 | 1 Admincolumns | 1 Admin Columns | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns.
|
|||||
| CVE-2021-24364 | 1 Tielabs | 1 Jannah | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
|
|||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue
|
|||||
| CVE-2021-24357 | 1 Fooplugins | 1 Foogallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue.
|
|||||
| CVE-2021-24351 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)
|
|||||
| CVE-2021-24350 | 1 Bestwebsoft | 1 Visitors Online | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.
|
|||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.
|
|||||
| CVE-2021-24346 | 1 Stock In \& Out Project | 1 Stock In \& Out | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue
|
|||||
| CVE-2021-24344 | 1 Easy Preloader Project | 1 Easy Preloader | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
|
The Easy Preloader WordPress plugin through 1.0.0 does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues
|
|||||