Total
38109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24961 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24958 | 1 Mekshq | 1 Meks Easy Photo Feed Widget | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them | |||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24955 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24954 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24953 | 1 Tinywebgallery | 1 Advanced Iframe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24944 | 1 Cusmin | 1 Absolutely Glamorous Custom Admin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24940 | 1 Woocommerce | 1 Persian-woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24939 | 1 Profilepress | 1 Loginwp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | |||||
| CVE-2021-24937 | 1 Asset Cleanup\ | 1 Page Speed Booster Project | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24935 | 1 Wp Google Fonts Project | 1 Wp Google Fonts | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24934 | 1 Yellowpencil | 1 Visual Css Style Editor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24933 | 1 Bootstrapped | 1 Dynamic Widgets | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24932 | 1 Cm-wp | 1 Auto Featured Image | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. | |||||
| CVE-2021-24930 | 1 Booking-wp-plugin | 1 Bookly | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24927 | 1 My Calendar Project | 1 My Calendar | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24926 | 1 Domaincheckplugin | 1 Domain Check | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24925 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||