Total
15370 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24199 | 1 Tms-outsource | 1 Wpdatatables | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. | |||||
| CVE-2021-24186 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | |||||
| CVE-2021-24185 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | |||||
| CVE-2021-24183 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | |||||
| CVE-2021-24182 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | |||||
| CVE-2021-24181 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | |||||
| CVE-2021-24149 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Unvalidated input in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.6, did not sanitise the mec[post_id] POST parameter in the mec_fes_form AJAX action when logged in as an author+, leading to an authenticated SQL Injection issue. | |||||
| CVE-2021-24143 | 1 Accesspressthemes | 1 Accesspress Social Icons | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Unvalidated input in the AccessPress Social Icons plugin, versions before 1.8.1, did not sanitise its widget attribute, allowing accounts with post permission, such as author, to perform SQL injections. | |||||
| CVE-2021-24142 | 1 Webfactoryltd | 1 301 Redirects | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections. | |||||
| CVE-2021-24141 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unvaludated input in the Advanced Database Cleaner plugin, versions before 3.0.2, lead to SQL injection allowing high privilege users (admin+) to perform SQL attacks. | |||||
| CVE-2021-24140 | 1 Connekthq | 1 Ajax Load More | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unvalidated input in the Ajax Load More WordPress plugin, versions before 5.3.2, lead to SQL Injection in POST /wp-admin/admin-ajax.php with param repeater=' or sleep(5)#&type=test. | |||||
| CVE-2021-24139 | 1 10web | 1 Photo Gallery | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Unvalidated input in the Photo Gallery (10Web Photo Gallery) WordPress plugin, versions before 1.5.55, leads to SQL injection via the frontend/models/model.php bwg_search_x parameter. | |||||
| CVE-2021-24138 | 1 Ajdg | 1 Adrotate | 2024-11-21 | 5.5 MEDIUM | 5.5 MEDIUM |
| Unvalidated input in the AdRotate WordPress plugin, versions before 5.8.4, leads to Authenticated SQL injection via param "id". This requires an admin privileged user. | |||||
| CVE-2021-24137 | 1 Adenion | 1 Blog2social | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands. | |||||
| CVE-2021-24132 | 1 10web | 1 Slider | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The Slider by 10Web WordPress plugin, versions before 1.2.36, in the bulk_action, export_full and save_slider_db functionalities of the plugin were vulnerable, allowing a high privileged user (Admin), or medium one such as Contributor+ (if "Role Options" is turn on for other users) to perform a SQL Injection attacks. | |||||
| CVE-2021-24131 | 1 Cleantalk | 1 Anti-spam | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unvalidated input in the Anti-Spam by CleanTalk WordPress plugin, versions before 5.149, lead to multiple authenticated SQL injection vulnerabilities, however, it requires high privilege user (admin+). | |||||
| CVE-2021-24125 | 1 Contact Form Submissions Project | 1 Contact Form Submissions | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Unvalidated input in the Contact Form Submissions WordPress plugin before 1.7.1, could lead to SQL injection in the wpcf7_contact_form GET parameter when submitting a filter request as a high privilege user (admin+) | |||||
| CVE-2021-24007 | 1 Fortinet | 1 Fortimail | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple improper neutralization of special elements of SQL commands vulnerabilities in FortiMail before 6.4.4 may allow a non-authenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | |||||
| CVE-2021-23837 | 1 Flatcore | 1 Flatcore | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious user input without proper sanitization, thus leading to SQL injection. Database related information can be successfully retrieved. | |||||
| CVE-2021-23405 | 1 Pimcore | 1 Pimcore | 2024-11-21 | 6.5 MEDIUM | 8.3 HIGH |
| This affects the package pimcore/pimcore before 10.0.7. This issue exists due to the absence of check on the storeId parameter in the method collectionsActionGet and groupsActionGet method within the ClassificationstoreController class. | |||||