Total
7108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24962 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution. | |||||
| CVE-2021-24820 | 1 Bold-themes | 1 Cost Calculator | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Cost Calculator WordPress plugin through 1.6 allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.6) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout | |||||
| CVE-2021-24761 | 1 Bestwebsoft | 1 Error Log Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | |||||
| CVE-2021-24692 | 1 Tipsandtricks-hq | 1 Simple Download Monitor | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector. | |||||
| CVE-2021-24689 | 1 Wpeverest | 1 Contact Form | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack | |||||
| CVE-2021-24644 | 1 Imagestowebp Project | 1 Images To Webp | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue | |||||
| CVE-2021-24639 | 1 Ffw | 1 Omgf | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. | |||||
| CVE-2021-24638 | 1 Ffw | 1 Omgf | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| The OMGF WordPress plugin before 4.5.4 does not escape or validate the handle parameter of the REST API, which allows unauthenticated users to perform path traversal and overwrite arbitrary CSS file with Google Fonts CSS, or download fonts uploaded on Google Fonts website. | |||||
| CVE-2021-24566 | 1 Pluginus | 1 Fox - Currency Switcher Professional For Woocommerce | 2024-11-21 | N/A | 8.8 HIGH |
| The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode. | |||||
| CVE-2021-24549 | 1 Aceide Project | 1 Aceide | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack. | |||||
| CVE-2021-24453 | 1 Include Me Project | 1 Include Me | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure | |||||
| CVE-2021-24447 | 1 Silkypress | 1 Wp Image Zoom | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WP Image Zoom WordPress plugin before 1.47 did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard | |||||
| CVE-2021-24375 | 1 Stockware | 1 Motor | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Lack of authentication or validation in motor_load_more, motor_gallery_load_more, motor_quick_view and motor_project_quick_view AJAX handlers of the Motor WordPress theme before 3.1.0 allows an unauthenticated attacker access to arbitrary files in the server file system, and to execute arbitrary php scripts found on the server file system. We found no vulnerability for uploading files with this theme, so any scripts to be executed must already be on the server file system. | |||||
| CVE-2021-24363 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector | |||||
| CVE-2021-24242 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 5.5 MEDIUM | 3.8 LOW |
| The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file | |||||
| CVE-2021-24035 | 1 Whatsapp | 1 Whatsapp | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| A lack of filename validation when unzipping archives prior to WhatsApp for Android v2.21.8.13 and WhatsApp Business for Android v2.21.8.13 could have allowed path traversal attacks that overwrite WhatsApp files. | |||||
| CVE-2021-24013 | 1 Fortinet | 1 Fortimail | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
| Multiple Path traversal vulnerabilities in the Webmail of FortiMail before 6.4.4 may allow a regular user to obtain unauthorized access to files and data via specifically crafted web requests. | |||||
| CVE-2021-24010 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 4.0 MEDIUM | 8.1 HIGH |
| Improper limitation of a pathname to a restricted directory vulnerabilities in FortiSandbox 3.2.0 through 3.2.2, and 3.1.0 through 3.1.4 may allow an authenticated user to obtain unauthorized access to files and data via specifially crafted web requests. | |||||
| CVE-2021-23797 | 1 Http-server-node Project | 1 Http-server-node | 2024-11-21 | 7.5 HIGH | 7.5 HIGH |
| All versions of package http-server-node are vulnerable to Directory Traversal via use of --path-as-is. | |||||
| CVE-2021-23631 | 1 Convert-svg-core Project | 1 Convert-svg-core | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| This affects all versions of package convert-svg-core; all versions of package convert-svg-to-png; all versions of package convert-svg-to-jpeg. Using a specially crafted SVG file, an attacker could read arbitrary files from the file system and then show the file content as a converted PNG file. | |||||