Total
14524 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24492 | 1 Handsome Testimonials \& Reviews Project | 1 Handsome Testimonials \& Reviews | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue. | |||||
| CVE-2021-24484 | 1 Ays-pro | 1 Secure Copy Content Protection And Content Locking | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24483 | 1 Ays-pro | 1 Poll Maker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The get_poll_categories(), get_polls() and get_reports() functions in the Poll Maker WordPress plugin before 3.2.1 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24465 | 1 Meowapps | 1 Meow Gallery | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| The Meow Gallery WordPress plugin before 4.1.9 does not sanitise, validate or escape the ids attribute of its gallery shortcode (available for users as low as Contributor) before using it in an SQL statement, leading to an authenticated SQL Injection issue. The injection also allows the returned values to be manipulated in a way that could lead to data disclosure and arbitrary objects to be deserialized. | |||||
| CVE-2021-24463 | 1 Ays-pro | 1 Image Slider | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24462 | 1 Ays-pro | 1 Photo Gallery | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_gallery_categories() and get_galleries() functions in the Photo Gallery by Ays – Responsive Image Gallery WordPress plugin before 4.4.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24461 | 1 Ays-pro | 1 Faq Builder | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24460 | 1 Ays-pro | 1 Popup Box | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_fb_likeboxes() function in the Popup Like box – Page Plugin WordPress plugin before 3.5.3 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24459 | 1 Ays-pro | 1 Survey Maker | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24458 | 1 Ays-pro | 1 Popup Box | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24457 | 1 Ays-pro | 1 Portfolio Responsive Gallery | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24456 | 1 Ays-pro | 1 Quiz Maker | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Quiz Maker WordPress plugin before 6.2.0.9 did not properly sanitise and escape the order and orderby parameters before using them in SQL statements, leading to SQL injection issues in the admin dashboard | |||||
| CVE-2021-24451 | 1 Export Users With Meta Project | 1 Export Users With Meta | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection. | |||||
| CVE-2021-24442 | 1 Wpdevart | 1 Poll\, Survey\, Questionnaire And Voting System | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks | |||||
| CVE-2021-24404 | 1 Wp-board Project | 1 Wp-board | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The options.php file of the WP-Board WordPress plugin through 1.1 beta accepts a postid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. This is a time based SQLI and in the same function vulnerable parameter is passed twice so if we pass time as 5 seconds it takes 10 seconds to return since the query ran twice. | |||||
| CVE-2021-24403 | 1 Wpagecontact Project | 1 Wpagecontact | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Orders functionality in the WordPress Page Contact plugin through 1.0 has an order_id parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | |||||
| CVE-2021-24402 | 1 Solvercircle | 1 Wp Icommerce | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors | |||||
| CVE-2021-24401 | 1 Wp-domain-redirect Project | 1 Wp-domain-redirect | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Edit domain functionality in the WP Domain Redirect WordPress plugin through 1.0 has an `editid` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24400 | 1 Wp-display-users Project | 1 Wp-display-users | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Edit Role functionality in the Display Users WordPress plugin through 2.0.0 had an `id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||
| CVE-2021-24399 | 1 Ombu | 1 The Sorter | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The check_order function of The Sorter WordPress plugin through 1.0 uses an `area_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. | |||||