Total
38072 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24306 | 1 Ultimatemember | 1 Ultimate Member | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Ultimate Member – User Profile, User Registration, Login & Membership Plugin WordPress plugin before 2.1.20 did not properly sanitise, validate or encode the query string when generating a link to edit user's own profile, leading to an authenticated reflected Cross-Site Scripting issue. Knowledge of the targeted username is required to exploit this, and attackers would then need to make the related logged in user open a malicious link. | |||||
| CVE-2021-24305 | 1 Targetfirst | 1 Watcheezy | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Target First WordPress Plugin v2.0, also previously known as Watcheezy, suffers from a critical unauthenticated stored XSS vulnerability. An attacker could change the licence key value through a POST on any URL with the 'weeWzKey' parameter that will be save as the 'weeID option and is not sanitized. | |||||
| CVE-2021-24304 | 1 Tagdiv | 1 Newsmag | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsmag WordPress theme before 5.0 does not sanitise the td_block_id parameter in its td_ajax_block AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24302 | 1 Neox | 1 Hana Flv Player | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Hana Flv Player WordPress plugin through 3.1.3 is vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the 'Default Skin' field. | |||||
| CVE-2021-24301 | 1 Bluemedicinelabs | 1 Hotjar Connecticator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Hotjar Connecticator WordPress plugin through 1.1.1 is vulnerable to Stored Cross-Site Scripting (XSS) in the 'hotjar script' textarea. The request did include a CSRF nonce that was properly verified by the server and this vulnerability could only be exploited by administrator users. | |||||
| CVE-2021-24300 | 1 Pickplugins | 1 Product Slider For Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue | |||||
| CVE-2021-24299 | 1 Catzsoft | 1 Redi Restaurant Reservation | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ReDi Restaurant Reservation WordPress plugin before 21.0426 provides the functionality to let users make restaurant reservations. These reservations are stored and can be listed on an 'Upcoming' page provided by the plugin. An unauthenticated user can fill in the form to make a restaurant reservation. The form to make a restaurant reservation field called 'Comment' does not use proper input validation and can be used to store XSS payloads. The XSS payloads will be executed when the plugin user goes to the 'Upcoming' page, which is an external website https://upcoming.reservationdiary.eu/ loaded in an iframe, and the stored reservation with XSS payload is loaded. | |||||
| CVE-2021-24298 | 1 Ibenic | 1 Simple Giveaways | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The method and share GET parameters of the Giveaway pages were not sanitised, validated or escaped before being output back in the pages, thus leading to reflected XSS | |||||
| CVE-2021-24297 | 1 Boostifythemes | 1 Goto | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Goto WordPress theme before 2.1 did not properly sanitize the formvalue JSON POST parameter in its tl_filter AJAX action, leading to an unauthenticated Reflected Cross-site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24296 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The WP Customer Reviews WordPress plugin before 3.5.6 did not sanitise some of its settings, allowing high privilege users such as administrators to set XSS payloads in them which will then be triggered in pages where reviews are enabled | |||||
| CVE-2021-24294 | 1 Mlfactory | 1 Dsgvo All In One For Wp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs. | |||||
| CVE-2021-24293 | 1 Imagely | 1 Nextgen Gallery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| In the eCommerce module of the NextGEN Gallery Pro WordPress plugin before 3.1.11, there is an action to call get_cart_items via photocrati_ajax , after that the settings[shipping_address][name] is able to inject malicious javascript. | |||||
| CVE-2021-24292 | 1 Wedevs | 1 Happy Addons For Elementor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter. | |||||
| CVE-2021-24291 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.69 was vulnerable to Reflected Cross-Site Scripting (XSS) issues via the gallery_id, tag, album_id and _id GET parameters passed to the bwg_frontend_data AJAX action (available to both unauthenticated and authenticated users) | |||||
| CVE-2021-24290 | 1 De-baat | 1 Store Locator Plus | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. | |||||
| CVE-2021-24287 | 1 Mooveagency | 1 Select All Categories And Taxonomies\, Change Checkbox To Radio Buttons | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The settings page of the Select All Categories and Taxonomies, Change Checkbox to Radio Buttons WordPress plugin before 1.3.2 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24286 | 1 Mooveagency | 1 Redirect 404 To Parent | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The settings page of the Redirect 404 to parent WordPress plugin before 1.3.1 did not properly sanitise the tab parameter before outputting it back, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24283 | 1 Pickplugins | 1 Accordion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue. | |||||
| CVE-2021-24277 | 1 Wpuslugi | 1 Rss For Yandex Turbo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its ???????? settings tab before outputting them back in the page, leading to authenticated stored Cross-Site Scripting issues | |||||
| CVE-2021-24276 | 1 Supsystic | 1 Contact Form | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form by Supsystic WordPress plugin before 1.7.15 did not sanitise the tab parameter of its options page before outputting it in an attribute, leading to a reflected Cross-Site Scripting issue | |||||