Total
37264 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24888 | 1 Imageboss | 1 Imageboss | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The ImageBoss WordPress plugin before 3.0.6 does not sanitise and escape its Source Name setting, which could allow high privilege users to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24885 | 1 Yop-poll | 1 Yop-poll | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24884 | 1 Strategy11 | 1 Formidable Form Builder | 2024-11-21 | 6.8 MEDIUM | 9.6 CRITICAL |
| The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like <audio>,<video>,<img>,<a> and<button>.This could allow an unauthenticated, remote attacker to exploit a HTML-injection byinjecting a malicous link. The HTML-injection may trick authenticated users to follow the link. If the Link gets clicked, Javascript code can be executed. The vulnerability is due to insufficient sanitization of the "data-frmverify" tag for links in the web-based entry inspection page of affected systems. A successful exploitation incomibantion with CSRF could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These actions include stealing the users account by changing their password or allowing attackers to submit their own code through an authenticated user resulting in Remote Code Execution. If an authenticated user who is able to edit Wordpress PHP Code in any kind, clicks the malicious link, PHP code can be edited. | |||||
| CVE-2021-24883 | 1 Essentialplugin | 1 Popup Anything | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24882 | 1 Tribulant | 1 Slideshow Gallery | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Slideshow Gallery WordPress plugin before 1.7.4 does not sanitise and escape the Slide "Title", "Description", and Gallery "Title" fields, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | |||||
| CVE-2021-24880 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24878 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24876 | 1 Roundupwp | 1 Registrations For The Events Calendar | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting | |||||
| CVE-2021-24875 | 1 Implecode | 1 Ecommerce Product Catalog | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The eCommerce Product Catalog Plugin for WordPress plugin before 3.0.39 does not escape the ic-settings-search parameter before outputting it back in the page in an attribute, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24874 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24873 | 1 Themeum | 1 Tutor Lms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24871 | 1 Get Custom Field Values Project | 1 Get Custom Field Values | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Get Custom Field Values WordPress plugin before 4.0.1 does not escape custom fields before outputting them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24856 | 1 Tammersoft | 1 Shared Files | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Shared Files WordPress plugin before 1.6.61 does not sanitise and escape the Download Counter Text settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24855 | 1 Display Post Metadata Project | 1 Display Post Metadata | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks | |||||
| CVE-2021-24854 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2021-24850 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Insert Pages WordPress plugin before 3.7.0 adds a shortcode that prints out other pages' content and custom fields. It can be used by users with a role as low as Contributor to perform Cross-Site Scripting attacks by storing the payload/s in another post's custom fields. | |||||
| CVE-2021-24841 | 1 Helpful Project | 1 Helpful | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Helpful WordPress plugin before 4.4.59 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24834 | 1 Yop-poll | 1 Yop Poll | 2024-11-21 | 4.3 MEDIUM | 5.4 MEDIUM |
| The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability which exists in the Create Poll - Options module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of custom label parameters - vote button label , results link label and back to vote caption label. | |||||
| CVE-2021-24833 | 1 Yop-poll | 1 Yop Poll | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module. | |||||
| CVE-2021-24830 | 1 Vasyltech | 1 Advanced Access Manager | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||