Total
37247 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24445 | 1 Draftpress | 1 My Site Audit | 2024-11-21 | 3.5 LOW | 5.5 MEDIUM |
| The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24444 | 1 Taxopress | 1 Taxopress | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The TaxoPress – Create and Manage Taxonomies, Tags, Categories WordPress plugin before 3.0.7.2 does not sanitise its Taxonomy description field, allowing high privilege users to set JavaScript payload in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24443 | 1 Kainelabs | 1 Youzify | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example. | |||||
| CVE-2021-24440 | 1 Fetchdesigns | 1 Sign-up Sheets | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Sign-up Sheets WordPress plugin before 1.0.14 did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard | |||||
| CVE-2021-24439 | 1 Prothemedesign | 1 Browser Screenshots | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Browser Screenshots WordPress plugin before 1.7.6 allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the image_class parameter of the browser-shot shortcode was not escaped. | |||||
| CVE-2021-24438 | 1 Sharethis | 1 Dashboard For Google Analytics | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | |||||
| CVE-2021-24437 | 1 Realfavicongenerator | 1 Favicon By Realfavicongenerator | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Favicon by RealFaviconGenerator WordPress plugin through 1.3.20 does not sanitise or escape one of its parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting (XSS) which is executed in the context of a logged administrator. | |||||
| CVE-2021-24436 | 1 Boldgrid | 1 W3 Total Cache | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise. | |||||
| CVE-2021-24435 | 1 Gambit | 1 Titan Framework | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The iframe-font-preview.php file of the titan-framework does not properly escape the font-weight and font-family GET parameters before outputting them back in an href attribute, leading to Reflected Cross-Site Scripting issues | |||||
| CVE-2021-24434 | 1 Codeblab | 1 Glass | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Glass WordPress plugin through 1.3.2 does not sanitise or escape its "Glass Pages" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin did not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | |||||
| CVE-2021-24431 | 1 Language Bar Flags Project | 1 Language Bar Flags | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users | |||||
| CVE-2021-24429 | 1 Salonbookingsystem | 1 Salon Booking System | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context. | |||||
| CVE-2021-24428 | 1 Yandex | 1 Yandex Turbo | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The RSS for Yandex Turbo WordPress plugin through 1.30 does not sanitise or escape some of its settings before saving and outputing them in the admin dashboard, leading to an Authenticated Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed. | |||||
| CVE-2021-24427 | 1 Boldgrid | 1 W3 Total Cache | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The W3 Total Cache WordPress plugin before 2.1.3 did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24426 | 1 Web-dorado | 1 Backup-wd | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Backup by 10Web – Backup and Restore Plugin WordPress plugin through 1.0.20 does not sanitise or escape the tab parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24425 | 1 Premio | 1 Mystickymenu | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active) | |||||
| CVE-2021-24424 | 1 Webfactoryltd | 1 Wp Reset | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24423 | 1 Updraftplus | 1 Updraftplus | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24421 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24420 | 1 Emarketdesign | 1 Request A Quote | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Request a Quote WordPress plugin before 2.3.4 did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. | |||||