Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24369 | 1 Ayecode | 1 Getpaid | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation. | |||||
| CVE-2021-24368 | 1 Expresstech | 1 Quiz And Survey Master | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link | |||||
| CVE-2021-24367 | 1 Wp Config File Editor Project | 1 Wp Config File Editor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Config File Editor WordPress plugin through 1.7.1 was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24365 | 1 Admincolumns | 1 Admin Columns | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns. | |||||
| CVE-2021-24364 | 1 Tielabs | 1 Jannah | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue | |||||
| CVE-2021-24357 | 1 Fooplugins | 1 Foogallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24351 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users) | |||||
| CVE-2021-24350 | 1 Bestwebsoft | 1 Visitors Online | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel. | |||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector. | |||||
| CVE-2021-24346 | 1 Stock In \& Out Project | 1 Stock In \& Out | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue | |||||
| CVE-2021-24344 | 1 Easy Preloader Project | 1 Easy Preloader | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Preloader WordPress plugin through 1.0.0 does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues | |||||
| CVE-2021-24343 | 1 Iflychat | 1 Iflychat | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24342 | 1 Jnews | 1 Jnews | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?ajax-request=jnews (with action=jnews_build_mega_category_*), leading to a Reflected Cross-Site Scripting (XSS) issue. | |||||
| CVE-2021-24339 | 1 Podsfoundation | 1 Pods | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Menu Label' field parameter. | |||||
| CVE-2021-24338 | 1 Podsfoundation | 1 Pods | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Singular Label' field parameter. | |||||
| CVE-2021-24335 | 1 Smartdatasoft | 1 Car Repair Services \& Auto Mechanic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24334 | 1 Connekthq | 1 Instant Images - One Click Unsplash Uploads | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. | |||||
| CVE-2021-24332 | 1 Autoptimize | 1 Autoptimize | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues | |||||