Total
37683 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24409 | 1 Plugin-planet | 1 Prismatic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | |||||
| CVE-2021-24408 | 1 Plugin-planet | 1 Prismatic | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | |||||
| CVE-2021-24407 | 1 Tielabs | 1 Jannah | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24389 | 1 Chimpgroup | 1 Foodbakery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | |||||
| CVE-2021-24387 | 1 Contempothemes | 1 Real Estate 7 | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context | |||||
| CVE-2021-24386 | 1 Kubiq | 1 Wp Svg Images | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended. | |||||
| CVE-2021-24383 | 1 Codecabin | 1 Wp Go Maps | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24382 | 1 Nextendweb | 1 Smart Slider | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed. | |||||
| CVE-2021-24381 | 1 Ninjaforms | 1 Contact Form | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Forms Contact Form WordPress plugin before 3.5.8.2 does not sanitise and escape the custom class name of the form field created, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24378 | 1 Autoptimize | 1 Autoptimize | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory. | |||||
| CVE-2021-24373 | 1 Getastra | 1 Wp Hardening | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the historyvalue GET parameter before outputting it in a Javascript block, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24372 | 1 Getastra | 1 Wp Hardening | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Hardening – Fix Your WordPress Security WordPress plugin before 1.2.2 did not sanitise or escape the $_SERVER['REQUEST_URI'] before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24369 | 1 Ayecode | 1 Getpaid | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation. | |||||
| CVE-2021-24368 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link | |||||
| CVE-2021-24367 | 1 Wp Config File Editor Project | 1 Wp Config File Editor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Config File Editor WordPress plugin through 1.7.1 was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24365 | 1 Admincolumns | 1 Admin Columns | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns. | |||||
| CVE-2021-24364 | 1 Tielabs | 1 Jannah | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue | |||||
| CVE-2021-24357 | 1 Fooplugins | 1 Foogallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue. | |||||