Total
37244 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24367 | 1 Wp Config File Editor Project | 1 Wp Config File Editor | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Config File Editor WordPress plugin through 1.7.1 was affected by an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24365 | 1 Admincolumns | 1 Admin Columns | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Admin Columns WordPress plugin Free before 4.3.2 and Pro before 5.5.2 allowed to configure individual columns for tables. Each column had a type. The type "Custom Field" allowed to choose an arbitrary database column to display in the table. There was no escaping applied to the contents of "Custom Field" columns. | |||||
| CVE-2021-24364 | 1 Tielabs | 1 Jannah | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Jannah WordPress theme before 5.4.4 did not properly sanitize the options JSON parameter in its tie_get_user_weather AJAX action before outputting it back in the page, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. | |||||
| CVE-2021-24362 | 1 10web | 1 Photo Gallery | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin before 1.5.75 did not ensure that uploaded SVG files added to a gallery do not contain malicious content. As a result, users allowed to add images to gallery can upload an SVG file containing JavaScript code, which will be executed when accessing the image directly (ie in the /wp-content/uploads/photo-gallery/ folder), leading to a Cross-Site Scripting (XSS) issue | |||||
| CVE-2021-24357 | 1 Fooplugins | 1 Foogallery | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| In the Best Image Gallery & Responsive Photo Gallery – FooGallery WordPress plugin before 2.0.35, the Custom CSS field of each gallery is not properly sanitised or validated before being being output in the page where the gallery is embed, leading to a stored Cross-Site Scripting issue. | |||||
| CVE-2021-24351 | 1 Posimyth | 1 The Plus Addons For Elementor | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users) | |||||
| CVE-2021-24350 | 1 Bestwebsoft | 1 Visitors Online | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel. | |||||
| CVE-2021-24349 | 1 Gallery From Files Project | 1 Gallery From Files | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector. | |||||
| CVE-2021-24346 | 1 Stock In \& Out Project | 1 Stock In \& Out | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Stock in & out WordPress plugin through 1.0.4 has a search functionality, the lowest accessible level to it being contributor. The srch POST parameter is not validated, sanitised or escaped before using it in the echo statement, leading to a reflected XSS issue | |||||
| CVE-2021-24344 | 1 Easy Preloader Project | 1 Easy Preloader | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Easy Preloader WordPress plugin through 1.0.0 does not sanitise its setting fields, leading to authenticated (admin+) Stored Cross-Site scripting issues | |||||
| CVE-2021-24343 | 1 Iflychat | 1 Iflychat | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue | |||||
| CVE-2021-24342 | 1 Jnews | 1 Jnews | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The JNews WordPress theme before 8.0.6 did not sanitise the cat_id parameter in the POST request /?ajax-request=jnews (with action=jnews_build_mega_category_*), leading to a Reflected Cross-Site Scripting (XSS) issue. | |||||
| CVE-2021-24339 | 1 Podsfoundation | 1 Pods | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Menu Label' field parameter. | |||||
| CVE-2021-24338 | 1 Podsfoundation | 1 Pods | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Singular Label' field parameter. | |||||
| CVE-2021-24335 | 1 Smartdatasoft | 1 Car Repair Services \& Auto Mechanic | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue | |||||
| CVE-2021-24334 | 1 Connekthq | 1 Instant Images - One Click Unsplash Uploads | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24333 | 1 Content Copy Protection \& Prevent Image Save Project | 1 Content Copy Protection \& Prevent Image Save | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Content Copy Protection & Prevent Image Save WordPress plugin through 1.3 does not check for CSRF when saving its settings, not perform any validation and sanitisation on them, allowing attackers to make a logged in administrator set arbitrary XSS payloads in them. | |||||
| CVE-2021-24332 | 1 Autoptimize | 1 Autoptimize | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Autoptimize WordPress plugin before 2.8.4 was missing proper escaping and sanitisation in some of its settings, allowing high privilege users to set XSS payloads in them, leading to stored Cross-Site Scripting issues | |||||
| CVE-2021-24331 | 1 Smooth Scroll Page Up\/down Buttons Project | 1 Smooth Scroll Page Up\/down Buttons | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Smooth Scroll Page Up/Down Buttons WordPress plugin before 1.4 did not properly sanitise and validate its settings, such as psb_distance, psb_buttonsize, psb_speed, only validating them client side. This could allow high privilege users (such as admin) to set XSS payloads in them | |||||
| CVE-2021-24330 | 1 Cartflows | 1 Cartflows | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| The Funnel Builder by CartFlows – Create High Converting Sales Funnels For WordPress plugin before 1.6.13 did not sanitise its facebook_pixel_id and google_analytics_id settings, allowing high privilege users to set XSS payload in them, which will either be executed on pages generated by the plugin, or the whole website depending on the settings used. | |||||