Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 3,413 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2021-34630

In the Pro and Enterprise versions of GTranslate < 2.8.65, the gtranslate_request_uri_var function runs at the top of all pages and echoes out the contents of $_SERVER['REQUEST_URI']. Although this uses addslashes, and most modern browsers automatically URLencode requests, this plugin is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below, or in cases where an attacker is able to modify the request en route between the client and the server, or in cases where the user is using an atypical browsing solution.

Published: July 30, 2021; 5:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2021-34629

The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.

Published: July 30, 2021; 5:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2020-11511

The LearnPress plugin before 3.2.6.9 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter.

Published: July 30, 2021; 10:15:12 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2021-32790

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.

Published: July 26, 2021; 1:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2021-32789

woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.

Published: July 26, 2021; 12:15:07 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2021-34619

The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin/views/import-export.php file.

Published: July 21, 2021; 11:16:20 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2021-3135

An issue was discovered in the tagDiv Newspaper theme 10.3.9.1 for WordPress. It allows XSS via the wp-admin/admin-ajax.php td_block_id parameter in a td_ajax_block API call.

Published: July 19, 2021; 5:15:07 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-34676

Basix NEX-Forms through 7.8.7 allows authentication bypass for Excel report generation.

Published: July 19, 2021; 1:15:11 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-34675

Basix NEX-Forms through 7.8.7 allows authentication bypass for stored PDF reports.

Published: July 19, 2021; 1:15:11 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-24482

The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues.

Published: July 19, 2021; 7:15:08 AM -0400
V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24453

The Include Me WordPress plugin through 1.2.1 is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure

Published: July 19, 2021; 7:15:08 AM -0400
V3.1: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2021-24452

The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

Published: July 19, 2021; 7:15:08 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-24447

The WP Image Zoom WordPress plugin before 1.47 did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard

Published: July 19, 2021; 7:15:08 AM -0400
V3.1: 5.3 MEDIUM
V2.0: 5.0 MEDIUM
CVE-2021-24436

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

Published: July 19, 2021; 7:15:08 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-32770

Gatsby is a framework for building websites. The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. A patch has been introduced in gatsby-source-wordpress@4.0.8 and gatsby-source-wordpress@5.9.2 which mitigates the issue by filtering all variables specified in the `auth: { }` section. Users that depend on this functionality are advised to upgrade to the latest release of gatsby-source-wordpress, run `gatsby clean` followed by a `gatsby build`. One may manually edit the app.js file post-build as a workaround.

Published: July 15, 2021; 3:15:07 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-20782

Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Published: July 13, 2021; 10:15:07 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2021-20781

Cross-site request forgery (CSRF) vulnerability in WordPress Meta Data Filter & Taxonomies Filter versions prior to v.1.2.8 and versions prior to v.2.2.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

Published: July 13, 2021; 10:15:07 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-26153

A cross-site scripting (XSS) vulnerability in wp-content/plugins/event-espresso-core-reg/admin_pages/messages/templates/ee_msg_admin_overview.template.php in the Event Espresso Core plugin before 4.10.7.p for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter.

Published: July 13, 2021; 7:15:08 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-24454

In the YOP Poll WordPress plugin before 6.2.8, when a pool is created with the options "Allow other answers", "Display other answers in the result list" and "Show results", it can lead to Stored Cross-Site Scripting issues as the 'Other' answer is not sanitised before being output in the page. The execution of the XSS payload depends on the 'Show results' option selected, which could be before or after sending the vote for example.

Published: July 12, 2021; 4:15:09 PM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-24442

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks

Published: July 12, 2021; 4:15:09 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH