Total
38084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24599 | 1 Wp-webhooks | 1 Email Encoder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data. | |||||
| CVE-2021-24598 | 1 Wpshopmart | 1 Testimonial Builder | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24597 | 1 You-shang Project | 1 You-shang | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used | |||||
| CVE-2021-24596 | 1 Itservicejung | 1 Youforms-free-for-copecart | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. | |||||
| CVE-2021-24594 | 1 Gtranslate | 1 Google Language Translator | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24593 | 1 Business Hours Indicator Project | 1 Business Hours Indicator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Business Hours Indicator WordPress plugin before 2.3.5 does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24592 | 1 Yoohooplugins | 1 Sitewide Notice | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24591 | 1 Dna88 | 1 Highlight | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Highlight WordPress plugin before 0.9.3 does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24590 | 1 Gdprinfo | 1 Cookie Notice \& Consent Banner For Gdpr \& Ccpa Compliance | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Cookie Notice & Consent Banner for GDPR & CCPA Compliance WordPress plugin before 1.7.2 does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options. | |||||
| CVE-2021-24588 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page. | |||||
| CVE-2021-24587 | 1 Zeesweb | 1 Splash Header | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24586 | 1 Evona | 1 Per Page Add To Head | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used. | |||||
| CVE-2021-24584 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues | |||||
| CVE-2021-24582 | 1 Thinktwit Project | 1 Thinktwit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24581 | 1 Blue-admin Project | 1 Blue-admin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24578 | 1 Themeboy | 1 Sportspress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24577 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. | |||||
| CVE-2021-24576 | 1 Techearty | 1 Easy Accordion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion. | |||||
| CVE-2021-24574 | 1 Simple Banner Project | 1 Simple Banner | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed. | |||||