Total
38109 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24924 | 1 Email Log Project | 1 Email Log | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24923 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24921 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24920 | 1 Statcounter | 1 Statcounter | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24918 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages. | |||||
| CVE-2021-24912 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin | |||||
| CVE-2021-24911 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting. | |||||
| CVE-2021-24910 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | N/A | 6.1 MEDIUM |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24909 | 1 Navz | 1 Acf Photo Gallery Field | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24908 | 1 Wpchill | 1 Check \& Log Email | 2024-11-21 | 2.6 LOW | 6.1 MEDIUM |
| The Check & Log Email WordPress plugin before 1.0.4 does not escape the d parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24907 | 1 Wpeverest | 1 Everest Forms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24904 | 1 Lenderd | 1 Mortgage Calculators Wp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24903 | 1 Codeasily | 1 Grand Flagallery | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The GRAND FlaGallery WordPress plugin through 6.1.2 does not sanitise and escape some of its gallery settings, which could allow high privilege users to perform Cross-Site scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24902 | 1 Typebot | 1 Typebot | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Typebot | Build beautiful conversational forms WordPress plugin before 1.4.3 does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24901 | 1 Securemoz | 1 Security Audit | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Security Audit WordPress plugin through 1.0.0 does not sanitise and escape the Data Id setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24900 | 1 Wpmanageninja | 1 Ninja Tables | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Ninja Tables WordPress plugin before 4.1.8 does not sanitise and escape some of its table fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24899 | 1 Media-tags Project | 1 Media-tags | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Media-Tags WordPress plugin through 3.2.0.2 does not sanitise and escape any of its Labels settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_htnl capability is disallowed. | |||||
| CVE-2021-24898 | 1 Editable-table Project | 1 Editable Table | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The EditableTable WordPress plugin through 0.1.4 does not sanitise and escape any of the Table and Column fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24897 | 1 Viitorcloud | 1 Add Subtitle | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24896 | 1 Calderaforms | 1 Caldera Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||