Total
39597 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24331 | 1 Smooth Scroll Page Up\/down Buttons Project | 1 Smooth Scroll Page Up\/down Buttons | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them | |||||
| CVE-2021-24330 | 1 Cartflows | 1 Cartflows | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used. | |||||
| CVE-2021-24329 | 1 Automattic | 1 Wp Super Cache | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Super Cache WordPress plugin before 1.7.3 did not properly sanitise its wp_cache_location parameter in its settings, which could lead to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24328 | 1 Clogica | 1 Wp Login Security And History | 2024-11-21 | 3.5 LOW | 6.2 MEDIUM |
| The WP Login Security and History WordPress plugin through 1.0 did not have CSRF check when saving its settings, not any sanitisation or validation on them. This could allow attackers to make logged in administrators change the plugin's settings to arbitrary values, and set XSS payloads on them as well | |||||
| CVE-2021-24327 | 1 Clogica | 1 Seo Redirection Plugin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 6.4 did not sanitise the Redirect From and Redirect To fields when creating a new redirect in the dashboard, allowing high privilege users (even with the unfiltered_html disabled) to set XSS payloads | |||||
| CVE-2021-24326 | 1 Clogica | 1 All 404 Redirect To Homepage | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The tab parameter of the settings page of the All 404 Redirect to Homepage WordPress plugin before 1.21 was vulnerable to an authenticated reflected Cross-Site Scripting (XSS) issue as user input was not properly sanitised before being output in an attribute. | |||||
| CVE-2021-24325 | 1 Clogica | 1 Seo Redirection Plugin | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The tab parameter of the settings page of the 404 SEO Redirection WordPress plugin through 1.3 is vulnerable to a reflected Cross-Site Scripting (XSS) issue as user input is not properly sanitised or escaped before being output in an attribute. | |||||
| CVE-2021-24323 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | |||||
| CVE-2021-24322 | 1 Deliciousbrains | 1 Database Backup | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Database Backup for WordPress plugin before 2.4 did not escape the backup_recipient POST parameter in before output it back in the attribute of an HTML tag, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24320 | 1 Bold-themes | 1 Bello | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise and escape its listing_list_view, bt_bb_listing_field_my_lat, bt_bb_listing_field_my_lng, bt_bb_listing_field_distance_value, bt_bb_listing_field_my_lat_default, bt_bb_listing_field_keyword, bt_bb_listing_field_location_autocomplete, bt_bb_listing_field_price_range_from and bt_bb_listing_field_price_range_to parameter in ints listing page, leading to reflected Cross-Site Scripting issues. | |||||
| CVE-2021-24319 | 1 Bold-themes | 1 Bello | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Bello - Directory & Listing WordPress theme before 1.6.0 did not properly sanitise its post_excerpt parameter before outputting it back in the shop/my-account/bello-listing-endpoint/ page, leading to a Cross-Site Scripting issue | |||||
| CVE-2021-24317 | 1 Purethemes | 1 Listeo | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues | |||||
| CVE-2021-24316 | 1 Wowthemes | 1 Mediumish | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The search feature of the Mediumish WordPress theme through 1.0.47 does not properly sanitise it's 's' GET parameter before output it back the page, leading to the Cross-SIte Scripting issue. | |||||
| CVE-2021-24315 | 1 Givewp | 1 Givewp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.10.4 did not sanitise or escape the Background Image field of its Stripe Checkout Setting and Logo field in its Email settings, leading to authenticated (admin+) Stored XSS issues. | |||||
| CVE-2021-24313 | 1 Goprayer | 1 Wp Prayer | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Prayer WordPress plugin before 1.6.2 provides the functionality to store requested prayers/praises and list them on a WordPress website. These stored prayer/praise requests can be listed by using the WP Prayer engine. An authenticated WordPress user with any role can fill in the form to request a prayer. The form to request prayers or praises have several fields. The 'prayer request' and 'praise request' fields do not use proper input validation and can be used to store XSS payloads. | |||||
| CVE-2021-24310 | 1 10web | 1 Photo Gallery | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Photo Gallery by 10Web - Mobile-Friendly Image Gallery WordPress plugin before 1.5.67 did not properly sanitise the gallery title, allowing high privilege users to create one with XSS payload in it, which will be triggered when another user will view the gallery list or the affected gallery in the admin dashboard. This is due to an incomplete fix of CVE-2019-16117 | |||||
| CVE-2021-24309 | 1 Weekly Schedule Project | 1 Weekly Schedule | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The "Schedule Name" input in the Weekly Schedule WordPress plugin before 3.4.3 general options did not properly sanitize input, allowing a user to inject javascript code using the <script> HTML tags and cause a stored XSS issue | |||||
| CVE-2021-24308 | 1 Lifterlms | 1 Lifterlms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile. | |||||
| CVE-2021-24306 | 1 Ultimatemember | 1 Ultimate Member | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link. | |||||
| CVE-2021-24305 | 1 Targetfirst | 1 Watcheezy | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the 'weeWzKey' parameter that will be save as the 'weeID option and is not sanitized. | |||||