Total
7987 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users | |||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | |||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues | |||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | |||||
| CVE-2021-24380 | 1 Shantz Wordpress Qotd Project | 1 Shantz Wordpress Qotd | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Shantz WordPress QOTD WordPress plugin through 1.2.2 is lacking any CSRF check when updating its settings, allowing attackers to make logged in administrators change them to arbitrary values. | |||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector. | |||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. | |||||
| CVE-2021-24328 | 1 Clogica | 1 Wp Login Security And History | 2024-11-21 | 3.5 LOW | 6.2 MEDIUM |
| The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well | |||||
| CVE-2021-24324 | 1 Clogica | 1 All 404 Redirect To Homepage | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24272 | 1 Codeinitiator | 1 Fitness Calculators | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24251 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example) | |||||
| CVE-2021-24249 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc | |||||
| CVE-2021-24231 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link. | |||||
| CVE-2021-24230 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content. | |||||
| CVE-2021-24218 | 1 Facebook | 1 Facebook | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. | |||||
| CVE-2021-24179 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. | |||||
| CVE-2021-24178 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-24174 | 1 Database-backups Project | 1 Database-backups | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. | |||||
| CVE-2021-24173 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. | |||||