Total
38084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24571 | 1 Harmonicdesign | 1 Hd Quiz | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well. | |||||
| CVE-2021-24569 | 1 Hu-manity | 1 Cookie Notice \& Compliance For Gdpr \/ Ccpa | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24568 | 1 Addtoany | 1 Addtoany Share Buttons | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24567 | 1 Nickmomrik | 1 Simple Post | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||
| CVE-2021-24565 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24564 | 1 Wpfront | 1 Scroll Top | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24563 | 1 Frontend Uploader Project | 1 Frontend Uploader | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly | |||||
| CVE-2021-24560 | 1 Tipsandtricks-hq | 1 Software License Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24558 | 1 3.7designs | 1 Project Status | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue | |||||
| CVE-2021-24556 | 1 Email-subscriber Project | 1 Email-subscriber | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue. | |||||
| CVE-2021-24548 | 1 Mimetic | 1 Mimetic Books | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Mimetic Books WordPress plugin through 0.2.13 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS) in the "Default Publisher ID" field on the plugin's settings page. | |||||
| CVE-2021-24547 | 1 Kn Fix Your Title Project | 1 Kn Fix Your Title | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | |||||
| CVE-2021-24545 | 1 Wp Html Author Bio Project | 1 Wp Html Author Bio | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s. | |||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. | |||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24541 | 1 Wonderplugin | 1 Wonder Pdf Embed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24540 | 1 Wonderplugin | 1 Wonder Video Embed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24539 | 1 Dazzlersoftware | 1 Coming Soon\, Under Construction \& Maintenance Mode By Dazzler | 2024-11-21 | 2.1 LOW | 4.8 MEDIUM |
| The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||