Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 3,648 matching records.
Displaying matches 101 through 120.
Vuln ID Summary CVSS Severity
CVE-2021-24438

The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

Published: August 30, 2021; 11:15:07 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-24437

The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator.

Published: August 30, 2021; 11:15:07 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-24658

The Erident Custom Login and Dashboard WordPress plugin before 3.5.9 did not properly sanitise its settings, allowing high privilege users to use XSS payloads in them (even when the unfileted_html is disabled)

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24602

The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-24574

The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24571

The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24565

The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2021-24564

The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24562

The LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2 was affected by an IDOR issue, allowing students to see other student answers and grades

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-24561

The WP SMS WordPress plugin before 5.4.13 does not sanitise the "wp_group_name" parameter before outputting it back in the "Groups" page, leading to an Authenticated Stored Cross-Site Scripting issue

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24558

The pspin_duplicate_post_save_as_new_post function of the Project Status WordPress plugin through 1.6 does not sanitise, validate or escape the post GET parameter passed to it before outputting it in an error message when the related post does not exist, leading to a reflected XSS issue

Published: August 23, 2021; 8:15:10 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24556

The kento_email_subscriber_ajax AJAX action of the Email Subscriber WordPress plugin through 1.1, does not properly sanitise, validate and escape the submitted subscribe_email and subscribe_name POST parameters, inserting them in the DB and then outputting them back in the Subscriber list (/wp-admin/edit.php?post_type=kes_campaign&page=kento_email_subscriber_list_settings), leading a Stored XSS issue.

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2021-24554

The Paytm – Donation Plugin WordPress plugin through 1.3.2 does not sanitise, validate or escape the id GET parameter before using it in a SQL statement when deleting donations, leading to an authenticated SQL injection issue

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-24553

The Timeline Calendar WordPress plugin through 1.2 does not sanitise, validate or escape the edit GET parameter before using it in a SQL statement when editing events, leading to an authenticated SQL injection issue. Other SQL Injections are also present in the plugin

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-24552

The Simple Events Calendar WordPress plugin through 1.4.0 does not sanitise, validate or escape the event_id POST parameter before using it in a SQL statement when deleting events, leading to an authenticated SQL injection issue

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-24551

The Edit Comments WordPress plugin through 0.3 does not sanitise, validate or escape the jal_edit_comments GET parameter before using it in a SQL statement, leading to a SQL injection issue

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-24550

The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise, validate or escape the url GET parameter before using it in a SQL statement when retrieving an URL to edit, leading to an authenticated SQL injection issue

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2021-24549

The AceIDE WordPress plugin through 2.6.2 does not sanitise or validate the user input which is appended to system paths before using it in various actions, such as to read arbitrary files from the server. This allows high privilege users such as administrator to access any file on the web server outside of the blog directory via a path traversal attack.

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-24547

The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field.

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-24533

The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend

Published: August 23, 2021; 8:15:09 AM -0400
V3.1: 4.8 MEDIUM
V2.0: 3.5 LOW