Total
18012 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24669 | 1 Feataholic | 1 Maz Loader | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The MAZ Loader – Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.
|
|||||
| CVE-2021-24666 | 1 Podlove | 1 Podlove Podcast Publisher | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
|
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P<id>[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
|
|||||
| CVE-2021-24662 | 1 Game-server-status Project | 1 Game-server-status | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page
|
|||||
| CVE-2021-24651 | 1 Ays-pro | 1 Poll Maker | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash.
|
|||||
| CVE-2021-24631 | 1 Unlimited Popups Project | 1 Unlimited Popups | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection
|
|||||
| CVE-2021-24630 | 1 Schreikasten Project | 1 Schreikasten | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author
|
|||||
| CVE-2021-24629 | 1 Post Content Xmlrpc Project | 1 Post Content Xmlrpc | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections
|
|||||
| CVE-2021-24628 | 1 Wow-company | 1 Wow Forms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection
|
|||||
| CVE-2021-24627 | 1 G Auto-hyperlink Project | 1 G Auto-hyperlink | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection
|
|||||
| CVE-2021-24626 | 1 Chameleon Css Project | 1 Chameleon Css | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection
|
|||||
| CVE-2021-24625 | 1 Web-dorado | 1 Spidercatalog | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category
|
|||||
| CVE-2021-24606 | 1 Offshorewebmaster | 1 Availability Calendar | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+
|
|||||
| CVE-2021-24580 | 1 Wow-estore | 1 Side Menu | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue
|
|||||
| CVE-2021-24575 | 1 Igexsolutions | 1 Wpschoolpress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The School Management System – WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection in multiple actions available to various authenticated users, from simple subscribers/students to teachers and above.
|
|||||
| CVE-2021-24557 | 1 Nimble3 | 1 M-vslider | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The update functionality in the rslider_page uses an rs_id POST parameter which is not validated, sanitised or escaped before being inserted in sql query, therefore leading to SQL injection for users having Administrator role.
|
|||||
| CVE-2021-24555 | 1 Roosty | 1 Diary-availability-calendar | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.
|
|||||
| CVE-2021-24554 | 1 Freelancetoindia | 1 Paytm-pay | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue
|
|||||
| CVE-2021-24553 | 1 Timeline Calendar Project | 1 Timeline Calendar | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin
|
|||||
| CVE-2021-24552 | 1 Simple Events Calendar Project | 1 Simple Events Calendar | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue
|
|||||
| CVE-2021-24551 | 1 Edit Comments Project | 1 Edit Comments | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue
|
|||||
| CVE-2021-24550 | 1 Broken Link Manager Project | 1 Broken Link Manager | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue
|
|||||
| CVE-2021-24521 | 1 Wow-estore | 1 Side Menu | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.
|
|||||
| CVE-2021-24520 | 1 Coderstimes | 1 Out Of Stock Message For Woocommerce | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Stock in & out WordPress plugin through 1.0.4 lacks proper sanitization before passing variables to an SQL request, making it vulnerable to SQL Injection attacks. Users with a role of contributor or higher can exploit this vulnerability.
|
|||||
| CVE-2021-24511 | 1 Dpl | 1 Product Feed On Woocommerce | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.
|
|||||
| CVE-2021-24507 | 1 Brainstormforce | 1 Astra | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
The Astra Pro Addon WordPress plugin before 3.5.2 did not properly sanitise or escape some of the POST parameters from the astra_pagination_infinite and astra_shop_pagination_infinite AJAX action (available to both unauthenticated and authenticated user) before using them in SQL statement, leading to an SQL Injection issues
|
|||||
| CVE-2021-24506 | 1 Quantumcloud | 1 Slider Hero | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The Slider Hero with Animation, Video Background & Intro Maker WordPress plugin before 8.2.7 does not sanitise or escape the id attribute of its hero-button shortcode before using it in a SQL statement, allowing users with a role as low as Contributor to perform SQL injection.
|
|||||
| CVE-2021-24497 | 1 Satollo | 1 Giveaway | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Giveaway WordPress plugin through 1.2.2 is vulnerable to an SQL Injection issue which allows an administrative user to execute arbitrary SQL commands via the $post_id on the options.php page.
|
|||||
| CVE-2021-24492 | 1 Handsome Testimonials \& Reviews Project | 1 Handsome Testimonials \& Reviews | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.
|
|||||
| CVE-2021-24484 | 1 Ays-pro | 1 Secure Copy Content Protection And Content Locking | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24483 | 1 Ays-pro | 1 Poll Maker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24465 | 1 Meowapps | 1 Meow Gallery | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
|
The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized.
|
|||||
| CVE-2021-24463 | 1 Ays-pro | 1 Image Slider | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24462 | 1 Ays-pro | 1 Photo Gallery | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24461 | 1 Ays-pro | 1 Faq Builder | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24460 | 1 Ays-pro | 1 Popup Box | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24459 | 1 Ays-pro | 1 Survey Maker | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24458 | 1 Ays-pro | 1 Popup Box | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24457 | 1 Ays-pro | 1 Portfolio Responsive Gallery | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24456 | 1 Ays-pro | 1 Quiz Maker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard
|
|||||
| CVE-2021-24451 | 1 Export Users With Meta Project | 1 Export Users With Meta | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.
|
|||||