Search Results (364866 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-24967 1 Themehunk 1 Contact Form \& Lead Form Elementor Builder 2024-11-21 6.1 Medium
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads
CVE-2021-24966 1 Bestwebsoft 1 Error Log Viewer 2024-11-21 4.9 Medium
The Error Log Viewer WordPress plugin through 1.1.1 does not validate the path of the log file to clear, allowing high privilege users to clear arbitrary files on the web server, including those outside of the blog folder
CVE-2021-24965 1 Fivestarplugins 1 Five Star Restaurant Reservations 2024-11-21 5.4 Medium
The Five Star Restaurant Reservations WordPress plugin before 2.4.8 does not have capability and CSRF checks in the rtb_welcome_set_schedule AJAX action, allowing any authenticated users to call it. Due to the lack of sanitisation and escaping, users with a role as low as subscriber could perform Cross-Site Scripting attacks against logged in admins
CVE-2021-24963 1 Litespeedtech 1 Litespeed Cache 2024-11-21 4.8 Medium
The LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site Scripting
CVE-2021-24962 1 Iptanus 2 Wordpress File Upload, Wordpress File Upload Pro 2024-11-21 8.8 High
The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.
CVE-2021-24961 1 Iptanus 2 Wordpress File Upload, Wordpress File Upload Pro 2024-11-21 5.4 Medium
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
CVE-2021-24960 1 Iptanus 2 Wordpress File Upload, Wordpress File Upload Pro 2024-11-21 5.4 Medium
The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks
CVE-2021-24959 1 Techspawn 1 Wp-email-users 2024-11-21 8.8 High
The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
CVE-2021-24958 1 Mekshq 1 Meks Easy Photo Feed Widget 2024-11-21 5.4 Medium
The Meks Easy Photo Feed Widget WordPress plugin before 1.2.4 does not have capability and CSRF checks in the meks_save_business_selected_account AJAX action, available to any authenticated user, and does not escape some of the settings. As a result, any authenticated user, such as subscriber could update the plugin's settings and put Cross-Site Scripting payloads in them
CVE-2021-24957 1 Advanced Page Visit Counter Project 1 Advanced Page Visit Counter 2024-11-21 8.8 High
The Advanced Page Visit Counter WordPress plugin before 6.1.6 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection
CVE-2021-24956 1 Adenion 1 Blog2social 2024-11-21 6.1 Medium
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24955 1 Profilepress 1 User Registration\, Login Form\, User Profile \& Membership 2024-11-21 6.1 Medium
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24954 1 Profilepress 1 User Registration\, Login Form\, User Profile \& Membership 2024-11-21 6.1 Medium
The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24953 1 Tinywebgallery 1 Advanced Iframe 2024-11-21 6.1 Medium
The Advanced iFrame WordPress plugin before 2022 does not sanitise and escape the ai_config_id parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24951 1 Thimpress 1 Learnpress 2024-11-21 9.8 Critical
The LearnPress WordPress plugin before 4.1.4 does not sanitise, validate and escape the id parameter before using it in SQL statements when duplicating course/lesson/quiz/question, leading to SQL Injections issues
CVE-2021-24950 1 Thememove 1 Insight Core 2024-11-21 5.4 Medium
The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks
CVE-2021-24949 1 Posimyth 1 The Plus Addons For Elementor 2024-11-21 9.8 Critical
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
CVE-2021-24948 1 Posimyth 1 The Plus Addons For Elementor 2024-11-21 7.5 High
The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts
CVE-2021-24947 1 Thinkupthemes 1 Responsive Vector Maps 2024-11-21 6.5 Medium
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web server
CVE-2021-24946 1 Webnus 1 Modern Events Calendar Lite 2024-11-21 9.8 Critical
The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the time parameter before using it in a SQL statement in the mec_load_single_page AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue