Total
37252 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24590 | 1 Gdprinfo | 1 Cookie Notice \& Consent Banner For Gdpr \& Ccpa Compliance | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Cookie Notice & Consent Banner for GDPR & CCPA Compliance WordPress plugin before 1.7.2 does not properly sanitize inputs to prevent injection of arbitrary HTML within the plugin's design customization options. | |||||
| CVE-2021-24588 | 1 Cozyvision | 1 Sms Alert Order Notifications | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SMS Alert Order Notifications WordPress plugin before 3.4.7 is affected by a cross site scripting (XSS) vulnerability in the plugin's setting page. | |||||
| CVE-2021-24587 | 1 Zeesweb | 1 Splash Header | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24586 | 1 Evona | 1 Per Page Add To Head | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Per page add to head WordPress plugin before 1.4.4 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the setting (feature mentioned by the plugin), this could lead to Stored XSS issue which will be triggered either in the backend, frontend or both depending on the payload used. | |||||
| CVE-2021-24584 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues | |||||
| CVE-2021-24582 | 1 Thinktwit Project | 1 Thinktwit | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24581 | 1 Blue-admin Project | 1 Blue-admin | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24578 | 1 Themeboy | 1 Sportspress | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The SportsPress WordPress plugin before 2.7.9 does not sanitise and escape its match_day parameter before outputting back in the Events backend page, leading to a Reflected Cross-Site Scripting issue | |||||
| CVE-2021-24577 | 1 Wpdevart | 1 Coming Soon And Maintenance Mode | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. | |||||
| CVE-2021-24576 | 1 Techearty | 1 Easy Accordion | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Easy Accordion WordPress plugin before 2.0.22 does not properly sanitize inputs when adding new items to an accordion. | |||||
| CVE-2021-24574 | 1 Simple Banner Project | 1 Simple Banner | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24571 | 1 Harmonicdesign | 1 Hd Quiz | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The HD Quiz WordPress plugin before 1.8.4 does not escape some of its Answers before outputting them in attribute when generating the Quiz, which could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24570 | 1 Wpplugin | 1 Accept Donations With Paypal | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well. | |||||
| CVE-2021-24569 | 1 Hu-manity | 1 Cookie Notice \& Compliance For Gdpr \/ Ccpa | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24568 | 1 Addtoany | 1 Addtoany Share Buttons | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The AddToAny Share Buttons WordPress plugin before 1.7.46 does not sanitise its Sharing Header setting when outputting it in frontend pages, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24567 | 1 Nickmomrik | 1 Simple Post | 2024-11-21 | N/A | 5.4 MEDIUM |
| The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||
| CVE-2021-24565 | 1 Contact Form 7 Captcha Project | 1 Contact Form 7 Captcha | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24564 | 1 Wpfront | 1 Scroll Top | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24563 | 1 Frontend Uploader Project | 1 Frontend Uploader | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Frontend Uploader WordPress plugin through 1.3.2 does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly | |||||
| CVE-2021-24560 | 1 Tipsandtricks-hq | 1 Software License Manager | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue | |||||