Total
37272 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24973 | 1 Geminilabs | 1 Site Reviews | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Site Reviews WordPress plugin before 5.17.3 does not sanitise and escape the site-reviews parameter of the glsr_action AJAX action (available to unauthenticated and any authenticated users), allowing them to perform Cross-Site Scripting attacks against logged in admins viewing the Tool dashboard of the plugin | |||||
| CVE-2021-24972 | 1 Fatcatapps | 1 Pixel Cat | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2021-24971 | 1 Magnigenie | 1 Wp Responsive Menu | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Responsive Menu WordPress plugin before 3.1.7.1 does not have capability and CSRF checks in the wpr_live_update AJAX action, as well as do not sanitise and escape some of the data submitted. As a result, any authenticated, such as subscriber could update the plugin's settings and perform Cross-Site Scripting attacks against all visitor and users on the frontend | |||||
| CVE-2021-24967 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads | |||||
| CVE-2021-24965 | 1 Fivestarplugins | 1 Five Star Restaurant Reservations | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins | |||||
| CVE-2021-24963 | 1 Litespeedtech | 1 Litespeed Cache | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24961 | 1 Iptanus | 2 Wordpress File Upload, Wordpress File Upload Pro | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24958 | 1 Mekshq | 1 Meks Easy Photo Feed Widget | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them | |||||
| CVE-2021-24956 | 1 Adenion | 1 Blog2social | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24955 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24954 | 1 Profilepress | 1 User Registration\, Login Form\, User Profile \& Membership | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24953 | 1 Tinywebgallery | 1 Advanced Iframe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24944 | 1 Cusmin | 1 Absolutely Glamorous Custom Admin | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24941 | 1 Icegram | 1 Icegram | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24940 | 1 Woocommerce | 1 Persian-woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24939 | 1 Profilepress | 1 Loginwp | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | |||||
| CVE-2021-24937 | 1 Asset Cleanup\ | 1 Page Speed Booster Project | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24935 | 1 Wp Google Fonts Project | 1 Wp Google Fonts | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24934 | 1 Yellowpencil | 1 Visual Css Style Editor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | |||||