Total
42233 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24290 | 1 De-baat | 1 Store Locator Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
|
|||||
| CVE-2021-24287 | 1 Mooveagency | 1 Select All Categories And Taxonomies\, Change Checkbox To Radio Buttons | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24286 | 1 Mooveagency | 1 Redirect 404 To Parent | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24283 | 1 Pickplugins | 1 Accordion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
|
|||||
| CVE-2021-24277 | 1 Wpuslugi | 1 Rss For Yandex Turbo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its Счетчики settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues
|
|||||
| CVE-2021-24276 | 1 Supsystic | 1 Contact Form | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24275 | 1 Supsystic | 1 Popup | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Popup by Supsystic WordPress plugin before 1.10.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24274 | 1 Supsystic | 1 Ultimate Maps | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Ultimate Maps by Supsystic WordPress plugin before 1.2.5 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24273 | 1 Cleversoft | 1 Clever Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Clever Addons for Elementor” WordPress Plugin before 2.1.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24271 | 1 Brainstormforce | 1 Ultimate Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Ultimate Addons for Elementor” WordPress Plugin before 1.30.0 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24270 | 1 Detheme | 1 Dethemekit For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “DeTheme Kit for Elementor” WordPress Plugin before 1.5.5.5 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24269 | 1 Sinaextra | 1 Sina Extension For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Sina Extension for Elementor” WordPress Plugin before 3.3.12 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24268 | 1 Crocoblock | 1 Jetwidgets For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “JetWidgets For Elementor” WordPress Plugin before 1.0.9 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24267 | 1 Themesgrove | 1 All-in-one Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “All-in-One Addons for Elementor – WidgetKit” WordPress Plugin before 2.3.10 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24266 | 1 Posimyth | 1 The Plus Addons For Elementor Page Builder Lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “The Plus Addons for Elementor Page Builder Lite” WordPress Plugin before 2.0.6 has four widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24265 | 1 Apollo13themes | 1 Rife Elementor Extensions \& Templates | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Rife Elementor Extensions & Templates” WordPress Plugin before 1.1.6 has a widget that is vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24264 | 1 Blocksera | 1 Image Hover Effects | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Image Hover Effects – Elementor Addon” WordPress Plugin before 1.3.4 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24263 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Elementor Addons – PowerPack Addons for Elementor” WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24262 | 1 Hasthemes | 1 Woolentor - Woocommerce Elementor Addons \+ Builder | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “WooLentor – WooCommerce Elementor Addons + Builder” WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24261 | 1 Hasthemes | 1 Ht Mega | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “HT Mega – Absolute Addons for Elementor Page Builder” WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24260 | 1 Livemeshelementor | 1 Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Livemesh Addons for Elementor” WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24259 | 1 Webtechstreet | 1 Elementor Addon Elements | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Elementor Addon Elements” WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24258 | 1 Wpmet | 1 Elements Kit Elementor Addons | 2024-11-21 | 4.0 MEDIUM | 5.4 MEDIUM |
|
The Elements Kit Lite and Elements Kit Pro WordPress Plugins before 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24257 | 1 Leap13 | 1 Premium Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24256 | 1 Brainstormforce | 1 Elementor - Header\, Footer \& Blocks Template | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The “Elementor – Header, Footer & Blocks Template” WordPress Plugin before 1.5.8 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
|
|||||
| CVE-2021-24255 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method.
|
|||||
| CVE-2021-24250 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from lack of sanitisation in the label of the Form Fields, leading to Authenticated Stored Cross-Site Scripting issues across various pages of the plugin.
|
|||||
| CVE-2021-24247 | 1 Mooveagency | 1 Contact Form Check Tester | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Contact Form Check Tester WordPress plugin through 1.0.2 settings are visible to all registered users in the dashboard and are lacking any sanitisation. As a result, any registered user, such as subscriber, can leave an XSS payload in the plugin settings, which will be triggered by any user visiting them, and could allow for privilege escalation. The vendor decided to close the plugin.
|
|||||
| CVE-2021-24246 | 1 Purethemes | 2 Workscout, Workscout Core | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Workscout Core WordPress plugin before 1.3.4, used by the WorkScout Theme did not sanitise the chat messages sent via the workscout_send_message_chat AJAX action, leading to Stored Cross-Site Scripting and Cross-Frame Scripting issues
|
|||||
| CVE-2021-24245 | 1 Trumani | 1 Stop Spammers | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Stop Spammers WordPress plugin before 2021.9 did not escape user input when blocking requests (such as matching a spam word), outputting it in an attribute after sanitising it to remove HTML tags, which is not sufficient and lead to a reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24243 | 1 Wpbakery Page Builder Clipboard Project | 1 Wpbakery Page Builder Clipboard | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages.
|
|||||
| CVE-2021-24241 | 1 Advancedcustomfields | 1 Advanced Custom Fields | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Advanced Custom Fields Pro WordPress plugin before 5.9.1 did not properly escape the generated update URL when outputting it in an attribute, leading to a reflected Cross-Site Scripting issue in the update settings page.
|
|||||
| CVE-2021-24239 | 1 Genetechsolutions | 1 Pie Register | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Pie Register – User Registration Forms. Invitation based registrations, Custom Login, Payments WordPress plugin before 3.7.0.1 does not sanitise the invitaion_code GET parameter when outputting it in the Activation Code page, leading to a reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24237 | 1 Purethemes | 2 Findeo, Realteo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Realteo WordPress plugin before 1.2.4, used by the Findeo Theme, did not properly sanitise the keyword_search, search_radius. _bedrooms and _bathrooms GET parameters before outputting them in its properties page, leading to an unauthenticated reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24235 | 1 Boostifythemes | 1 Goto | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Goto WordPress theme before 2.0 does not sanitise the keywords and start_date GET parameter on its Tour List page, leading to an unauthenticated reflected Cross-Site Scripting issue.
|
|||||
| CVE-2021-24234 | 1 Ivorysearch | 1 Ivory Search | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Search Forms page of the Ivory Search WordPress lugin before 4.6.1 did not properly sanitise the tab parameter before output it in the page, leading to a reflected Cross-Site Scripting issue when opening a malicious crafted link as a high privilege user. Knowledge of a form id is required to conduct the attack.
|
|||||
| CVE-2021-24233 | 1 Boxystudio | 1 Cooked | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
|
The Cooked Pro WordPress plugin before 1.7.5.6 was affected by unauthenticated reflected Cross-Site Scripting issues, due to improper sanitisation of user input while being output back in pages as an arbitrary attribute.
|
|||||
| CVE-2021-24232 | 1 Elbtide | 1 Advanced Booking Calendar | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
The Advanced Booking Calendar WordPress plugin before 1.6.8 does not sanitise the license error message when output in the settings page, leading to an authenticated reflected Cross-Site Scripting issue
|
|||||
| CVE-2021-24229 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
The Jetpack Scan team identified a Reflected Cross-Site Scripting via the patreon_save_attachment_patreon_level AJAX action of the Patreon WordPress plugin before 1.7.2. This AJAX hook is used to update the pledge level required by Patreon subscribers to access a given attachment. This action is accessible for user accounts with the ‘manage_options’ privilege (i.e.., only administrators). Unfortunately, one of the parameters used in this AJAX endpoint is not sanitized before being printed back t ...
Show More |
|||||
| CVE-2021-24228 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
|
The Jetpack Scan team identified a Reflected Cross-Site Scripting in the Login Form of the Patreon WordPress plugin before 1.7.2. The WordPress login form (wp-login.php) is hooked by the plugin and offers to allow users to authenticate on the site using their Patreon account. Unfortunately, some of the error logging logic behind the scene allowed user-controlled input to be reflected on the login page, unsanitized.
|
|||||