Total
7987 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25095 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | 5.5 MEDIUM | 7.1 HIGH |
| The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend. | |||||
| CVE-2021-25092 | 1 Ylefebvre | 1 Link Library | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack | |||||
| CVE-2021-25081 | 1 Wpgooglemap | 1 Wp Google Map | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack | |||||
| CVE-2021-25073 | 1 Webmaster-source | 1 Wp125 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-25072 | 1 Nextscripts | 1 Social Networks Auto Poster | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The NextScripts: Social Networks Auto-Poster WordPress plugin before 4.3.25 does not have CSRF check in place when deleting items, allowing attacker to make a logged in admin delete arbitrary posts via a CSRF attack | |||||
| CVE-2021-25053 | 1 Wow-company | 1 Wp Coder | 2024-11-21 | 5.1 MEDIUM | 8.8 HIGH |
| The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25052 | 1 Wow-company | 1 Button Generator | 2024-11-21 | 5.1 MEDIUM | 8.8 HIGH |
| The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25051 | 1 Wow-company | 1 Modal Window | 2024-11-21 | 5.1 MEDIUM | 8.8 HIGH |
| The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE. | |||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role. | |||||
| CVE-2021-25025 | 1 Theeventscalendar | 1 Eventcalendar | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events | |||||
| CVE-2021-25013 | 1 Themeum | 1 Qubely | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts | |||||
| CVE-2021-25011 | 1 Wpgooglemap | 1 Wp Google Map | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| The Maps Plugin using Google Maps for WordPress plugin before 1.8.1 does not have proper authorisation and CSRF in most of its AJAX actions, which could allow any authenticated users, such as subscriber to delete arbitrary posts and update the plugin's settings. | |||||
| CVE-2021-25010 | 1 Postsnippets | 1 Post Snippets | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Post Snippets WordPress plugin before 3.1.4 does not have CSRF check when importing files, allowing attacker to make a logged In admin import arbitrary snippets. Furthermore, imported snippers are not sanitised and escaped, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24993 | 1 Etoilewebdesign | 1 Ultimate Product Catalog | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example | |||||
| CVE-2021-24989 | 1 Wpplugin | 1 Accept Donations With Paypal | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.4 does not have CSRF check in place and does not ensure that the post to be deleted belongs to the plugin, allowing attackers to make a logged in admin delete arbitrary posts from the blog | |||||
| CVE-2021-24988 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter. | |||||
| CVE-2021-24981 | 1 Wpwax | 1 Directorist | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory. | |||||
| CVE-2021-24978 | 1 B4after | 1 Osmapper | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog | |||||
| CVE-2021-24968 | 1 Etoilewebdesign | 1 Ultimate Faq | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions | |||||
| CVE-2021-24947 | 1 Thinkupthemes | 1 Responsive Vector Maps | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server | |||||