Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): XSS Wordpress
- Search Type: Search All
- CPE Name Search: false
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-24177 |
In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response. Published: April 05, 2021; 3:15:16 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2021-24169 |
This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. Published: April 05, 2021; 3:15:15 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2021-24168 |
The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator. Published: April 05, 2021; 3:15:15 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-35942 |
A Cross-Site Request Forgery (CSRF) issue in the NextGEN Gallery plugin before 3.5.0 for WordPress allows File Upload and Local File Inclusion via settings modification, leading to Remote Code Execution and XSS. (It is possible to bypass CSRF protection by simply not including a nonce parameter.) Published: February 09, 2021; 1:15:44 PM -0500 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2020-36172 |
The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandles the escaping of strings in Select2 dropdowns, potentially leading to XSS. Published: January 06, 2021; 10:15:15 AM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-35947 |
An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. Nearly all of the AJAX action endpoints lacked permission checks, allowing these actions to be executed by anyone authenticated on the site. This happened because nonces were used as a means of authorization, but a nonce was present in a publicly viewable page. The greatest impact was the pagelayer_save_content function that allowed pages to be modified and allowed XSS to occur. Published: December 31, 2020; 11:15:13 PM -0500 |
V3.1: 7.4 HIGH V2.0: 6.5 MEDIUM |
CVE-2020-35946 |
An issue was discovered in the All in One SEO Pack plugin before 3.6.2 for WordPress. The SEO Description and Title fields are vulnerable to unsanitized input from a Contributor, leading to stored XSS. Published: December 31, 2020; 11:15:13 PM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-35944 |
An issue was discovered in the PageLayer plugin before 1.1.2 for WordPress. The pagelayer_settings_page function is vulnerable to CSRF, which can lead to XSS. Published: December 31, 2020; 11:15:13 PM -0500 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
CVE-2020-35589 |
The limit-login-attempts-reloaded plugin before 2.17.4 for WordPress allows wp-admin/options-general.php?page=limit-login-attempts&tab= XSS. A malicious user can cause an administrator user to supply dangerous content to the vulnerable page, which is then reflected back to the user and executed by the web browser. The most common mechanism for delivering malicious content is to include it as a parameter in a URL that is posted publicly or e-mailed directly to victims. Published: December 21, 2020; 2:15:13 AM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-29303 |
A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token. Published: December 14, 2020; 3:15:12 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-14206 |
The DiveBook plugin 1.1.4 for WordPress is prone to unauthenticated XSS within the filter function (via an arbitrary parameter). Published: December 08, 2020; 3:15:15 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-29395 |
The EventON plugin through 3.0.5 for WordPress allows addons/?q= XSS via the search field. Published: November 30, 2020; 3:15:11 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-28650 |
The WPBakery plugin before 6.4.1 for WordPress allows XSS because it calls kses_remove_filters to disable the standard WordPress XSS protection mechanism for the Author and Contributor roles. Published: November 15, 2020; 11:15:12 PM -0500 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-28038 |
WordPress before 5.5.2 allows stored XSS via post slugs. Published: November 02, 2020; 4:15:31 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-28034 |
WordPress before 5.5.2 allows XSS associated with global variables. Published: November 02, 2020; 4:15:30 PM -0500 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-16140 |
The search functionality of the Greenmart theme 2.4.2 for WordPress is vulnerable to XSS. Published: October 27, 2020; 6:15:12 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-27615 |
The Loginizer plugin before 1.6.4 for WordPress allows SQL injection (with resultant XSS), related to loginizer_login_failed and lz_valid_ip. Published: October 21, 2020; 5:15:13 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2020-27344 |
The cm-download-manager plugin before 2.8.0 for WordPress allows XSS. Published: October 21, 2020; 4:15:13 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-24699 |
The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress allows XSS. Published: August 31, 2020; 12:15:15 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2020-20626 |
lara-google-analytics.php in Lara Google Analytics plugin through 2.0.4 for WordPress allows authenticated stored XSS. Published: August 31, 2020; 12:15:15 PM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |