Total
7987 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24804 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. | |||||
| CVE-2021-24803 | 1 Core Tweaks Wp Setup Project | 1 Core Tweaks Wp Setup | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks | |||||
| CVE-2021-24802 | 1 Gesundheit-bewegt | 1 Colorful Categories | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack | |||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24799 | 1 Tipsandtricks-hq | 1 Far Future Expiry Header | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2021-24795 | 1 Phoeniixx | 1 Filter Portfolio Gallery | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. | |||||
| CVE-2021-24790 | 1 Contact Form Advanced Database Project | 1 Contact Form Advanced Database | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated. | |||||
| CVE-2021-24784 | 1 Wp Admin Logo Changer Project | 1 Wp Admin Logo Changer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. | |||||
| CVE-2021-24780 | 1 Single Post Exporter Project | 1 Single Post Exporter | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URL | |||||
| CVE-2021-24779 | 1 Wp Debugging Project | 1 Wp Debugging | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users. | |||||
| CVE-2021-24776 | 1 Wp Performance Score Booster Project | 1 Wp Performance Score Booster | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2021-24767 | 1 Fullworks | 1 Redirect 404 Error Page To Homepage Or Custom Page With Logs | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Redirect 404 Error Page to Homepage or Custom Page with Logs WordPress plugin before 1.7.9 does not check for CSRF when deleting logs, which could allow attacker to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-24766 | 1 404 To 301 Project | 1 404 To 301 | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The 404 to 301 – Redirect, Log and Notify 404 Errors WordPress plugin before 3.0.9 does not have CSRF check in place when cleaning the logs, which could allow attacker to make a logged in admin delete all of them via a CSRF attack | |||||
| CVE-2021-24763 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey | |||||
| CVE-2021-24761 | 1 Bestwebsoft | 1 Error Log Viewer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Error Log Viewer WordPress plugin before 1.1.2 does not perform nonce check when deleting a log file and does not have path traversal prevention, which could allow attackers to make a logged in admin delete arbitrary text files on the web server. | |||||
| CVE-2021-24752 | 1 Catchplugins | 10 Catch Scroll Progress Bar, Catch Sticky Menu, Catch Themes Demo Import and 7 more | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
| Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations. | |||||
| CVE-2021-24749 | 1 Kazencoders | 1 Url Shortify | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack. | |||||
| CVE-2021-24735 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Compact WP Audio Player WordPress plugin before 1.9.7 does not implement nonce checks, which could allow attackers to make a logged in admin change the "Disable Simultaneous Play" setting via a CSRF attack. | |||||
| CVE-2021-24730 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | |||||
| CVE-2021-24725 | 1 Quantumcloud | 1 Comment Link Remove And Other Comment Tools | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments | |||||