Search Results (362808 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-25101 1 Anti-malware Security And Brute-force Firewall Project 1 Anti-malware Security And Brute-force Firewall 2024-11-21 4.8 Medium
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
CVE-2021-25100 1 Givewp 1 Givewp 2024-11-21 6.1 Medium
The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting
CVE-2021-25099 1 Givewp 1 Givewp 2024-11-21 6.1 Medium
The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting
CVE-2021-25098 1 Fatcatapps 1 Easy Pricing Tables 2024-11-21 6.5 Medium
The Pricing Tables WordPress Plugin WordPress plugin before 3.1.3 does not verify the CSRF nonce when removing posts, allowing attackers to make a logged in admin remove arbitrary posts from the blog via a CSRF attack, which will be put in the trash
CVE-2021-25097 1 Creativityjuice 1 Labtools 2024-11-21 6.5 Medium
The LabTools WordPress plugin through 1.0 does not have proper authorisation and CSRF check in place when deleting publications, allowing any authenticated users, such as subscriber to delete arbitrary publication
CVE-2021-25096 1 Ip2location 1 Country Blocker 2024-11-21 6.5 Medium
The IP2Location Country Blocker WordPress plugin before 2.26.5 bans can be bypassed by using a specific parameter in the URL
CVE-2021-25095 1 Ip2location 1 Country Blocker 2024-11-21 7.1 High
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.
CVE-2021-25093 1 Ylefebvre 1 Link Library 2024-11-21 7.5 High
The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request
CVE-2021-25092 1 Ylefebvre 1 Link Library 2024-11-21 6.5 Medium
The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack
CVE-2021-25091 1 Ylefebvre 1 Link Library 2024-11-21 6.1 Medium
The Link Library WordPress plugin before 7.2.9 does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2021-25090 1 Wpsofts 1 Portfolio Gallery\, Product Catalog - Grid Kit Portfolio 2024-11-21 5.4 Medium
The Portfolio Gallery, Product Catalog WordPress plugin before 2.1.0 does not have authorisation and CSRF checks in various functions related to AJAX actions, allowing any authenticated users, such as subscriber, to call them. Due to the lack of sanitisation and escaping, it could also allows attackers to perform Cross-Site Scripting attacks on pages where a Portfolio is embed
CVE-2021-25089 1 Updraftplus 1 Updraftplus 2024-11-21 6.1 Medium
The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.69 does not sanitise and escape the updraft_restore parameter before outputting it back in the Restore page, leading to a Reflected Cross-Site Scripting
CVE-2021-25088 1 Google Xml Sitemaps Project 1 Google Xml Sitemaps 2024-11-21 4.8 Medium
The XML Sitemaps WordPress plugin before 4.1.3 does not sanitise and escape a settings before outputting it in the Debug page, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2021-25086 1 Advanced Page Visit Counter Project 1 Advanced Page Visit Counter 2024-11-21 6.1 Medium
The Advanced Page Visit Counter WordPress plugin before 6.1.2 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it
CVE-2021-25085 1 Pluginus 1 Woocommerce Products Filter 2024-11-21 6.1 Medium
The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2021-25084 1 Bracketspace 1 Advanced Cron Manager 2024-11-21 4.3 Medium
The Advanced Cron Manager WordPress plugin before 2.4.2 and Advanced Cron Manager Pro WordPress plugin before 2.5.3 do not have authorisation checks in some of their AJAX actions, allowing any authenticated users, such as subscriber to call them and add or remove events as well as schedules for example
CVE-2021-25083 1 Roundupwp 1 Registrations For The Events Calendar 2024-11-21 6.1 Medium
The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cross-Site Scripting
CVE-2021-25082 1 Sygnoos 1 Popup Builder 2024-11-21 8.8 High
The Popup Builder WordPress plugin before 4.0.7 does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR
CVE-2021-25081 1 Wpgooglemap 1 Wp Google Map 2024-11-21 6.5 Medium
The Maps Plugin using Google Maps for WordPress plugin before 1.8.4 does not have CSRF checks in most of its AJAX actions, which could allow attackers to make logged in admins delete arbitrary posts and update the plugin's settings via a CSRF attack
CVE-2021-25080 1 Crmperks 1 Contact Form Entries 2024-11-21 6.1 Medium
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against logged in admins viewing the created entry