Total
37249 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24547 | 1 Kn Fix Your Title Project | 1 Kn Fix Your Title | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The KN Fix Your Title WordPress plugin through 1.0.1 was vulnerable to Authenticated Stored XSS in the separator field. | |||||
| CVE-2021-24545 | 1 Wp Html Author Bio Project | 1 Wp Html Author Bio | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP HTML Author Bio WordPress plugin through 1.2.0 does not sanitise the HTML allowed in the Bio of users, allowing them to use malicious JavaScript code, which will be executed when anyone visit a post in the frontend made by such user. As a result, user with a role as low as author could perform Cross-Site Scripting attacks against users, which could potentially lead to privilege escalation when an admin view the related post/s. | |||||
| CVE-2021-24544 | 1 Motopress | 1 Motopress-slider-lite | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Responsive WordPress Slider WordPress plugin through 2.2.0 does not sanitise and escape some of the Slider options, allowing Cross-Site Scripting payloads to be set in them. Furthermore, as by default any authenticated user is allowed to create Sliders (https://wordpress.org/support/topic/slider-can-be-changed-from-any-user-even-subscriber/, such settings can be changed in the plugin's settings), this would allow user with a role as low as subscriber to perform Cross-Site Scripting attacks against logged in admins viewing the slider list and could lead to privilege escalation by creating a rogue admin account for example. | |||||
| CVE-2021-24543 | 1 Jquery-reply-to-comment Project | 1 Jquery-reply-to-comment | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The jQuery Reply to Comment WordPress plugin through 1.31 does not have any CSRF check when saving its settings, nor sanitise or escape its 'Quote String' and 'Reply String' settings before outputting them in Comments, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24541 | 1 Wonderplugin | 1 Wonder Pdf Embed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder PDF Embed WordPress plugin before 1.7 does not escape parameters of its wonderplugin_pdf shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24540 | 1 Wonderplugin | 1 Wonder Video Embed | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks. | |||||
| CVE-2021-24539 | 1 Dazzlersoftware | 1 Coming Soon\, Under Construction \& Maintenance Mode By Dazzler | 2024-11-21 | 2.1 LOW | 4.8 MEDIUM |
| The Coming Soon, Under Construction & Maintenance Mode By Dazzler WordPress plugin before 1.6.7 does not sanitise or escape its description setting when outputting it in the frontend when the Coming Soon mode is enabled, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24538 | 1 Current Book Project | 1 Current Book | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue. | |||||
| CVE-2021-24536 | 1 Custom Login Redirect Project | 1 Custom Login Redirect | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24535 | 1 Light Messages Project | 1 Light Messages | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Light Messages WordPress plugin through 1.0 is lacking CSRF check when updating it's settings, and is not sanitising its Message Content in them (even with the unfiltered_html disallowed). As a result, an attacker could make a logged in admin update the settings to arbitrary values, and set a Cross-Site Scripting payload in the Message Content. Depending on the options set, the XSS payload can be triggered either in the backend only (in the plugin's settings), or both frontend and backend. | |||||
| CVE-2021-24534 | 1 Phonetrack | 1 Phonetrack Meu Site Manager | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The PhoneTrack Meu Site Manager WordPress plugin through 0.1 does not sanitise or escape its "php_id" setting before outputting it back in an attribute in the page, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24533 | 1 Webfactoryltd | 1 Maintenance | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Maintenance WordPress plugin before 4.03 does not sanitise or escape some of its settings, allowing high privilege users such as admin to se Cross-Site Scripting payload in them (even when the unfiltered_html capability is disallowed), which will be triggered in the frontend | |||||
| CVE-2021-24531 | 1 Wpcharitable | 1 Charitable | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Charitable – Donation Plugin WordPress plugin before 1.6.51 is affected by an authenticated stored cross-site scripting vulnerability which was found in the add donation feature. | |||||
| CVE-2021-24530 | 1 Alojapro | 1 Alojapro Widget | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Alojapro Widget WordPress plugin through 1.1.15 doesn't properly sanitise its Custom CSS settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | |||||
| CVE-2021-24529 | 1 Awplife | 1 Grid Gallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Grid Gallery – Photo Image Grid Gallery WordPress plugin before 1.2.5 does not properly sanitize the title field for image galleries when adding them via the admin dashboard, resulting in an authenticated Stored Cross-Site Scripting vulnerability. | |||||
| CVE-2021-24528 | 1 Wpmanageninja | 1 Fluentsmtp | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin's settings. | |||||
| CVE-2021-24526 | 1 10web | 1 Form Maker | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder WordPress plugin before 1.13.60 does not escape its Form Title before outputting it in an attribute when editing a form in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24525 | 1 Getshortcodes | 1 Shortcodes Ultimate | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Shortcodes Ultimate WordPress plugin before 5.10.2 allows users with Contributor roles to perform stored XSS via shortcode attributes. Note: the plugin is inconsistent in its handling of shortcode attributes; some do escape, most don't, and there are even some attributes that are insecure by design (like [su_button]'s onclick attribute). | |||||
| CVE-2021-24524 | 1 Givewp | 1 Givewp | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them. | |||||
| CVE-2021-24523 | 1 Mmrs151 | 1 Daily Prayer Time | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Daily Prayer Time WordPress plugin before 2021.08.10 does not sanitise or escape some of its settings before outputting them in the page, leading to Authenticated Stored Cross-Site Scripting issues. | |||||