Total
38068 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24196 | 1 Cm-wp | 1 Social Slider Widget | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echoed without being sanitized | |||||
| CVE-2021-24187 | 1 Clogica | 1 Seo Redirection | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The setting page of the SEO Redirection Plugin - 301 Redirect Manager WordPress plugin before 6.4 is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before being output in an attribute. | |||||
| CVE-2021-24180 | 1 Never5 | 1 Related Posts | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter while editing a post, triggered when users with the capability of editing posts access a malicious URL. | |||||
| CVE-2021-24176 | 1 Jh 404 Logger Project | 1 Jh 404 Logger | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the WordPress dashboard. | |||||
| CVE-2021-24169 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. | |||||
| CVE-2021-24168 | 1 Easy Contact Form Pro Project | 1 Easy Contact Form Pro | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator. | |||||
| CVE-2021-24157 | 1 Themeisle | 1 Orbit Fox | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious. | |||||
| CVE-2021-24156 | 1 Testimonial Rotator Project | 1 Testimonial Rotator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation | |||||
| CVE-2021-24153 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. | |||||
| CVE-2021-24152 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. | |||||
| CVE-2021-24147 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. | |||||
| CVE-2021-24136 | 1 Axelerant | 1 Testimonials Widget | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | |||||
| CVE-2021-24135 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | |||||
| CVE-2021-24134 | 1 Constantcontact | 1 Constant Contact Forms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | |||||
| CVE-2021-24129 | 1 Themify | 1 Portfolio Post | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | |||||
| CVE-2021-24128 | 1 Wpdarko | 1 Team Members | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | |||||
| CVE-2021-24127 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | |||||
| CVE-2021-24126 | 1 Enviragallery | 1 Envira Gallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation. | |||||
| CVE-2021-24124 | 1 Terryl | 1 Wp Shieldon | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | |||||
| CVE-2021-24021 | 1 Fortinet | 1 Fortianalyzer | 2024-11-21 | 3.5 LOW | 4.3 MEDIUM |
| An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks. | |||||