Search Results (362845 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-24690 1 Kibokolabs 1 Chained Quiz 2024-11-21 5.4 Medium
The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.
CVE-2021-24689 1 Wpeverest 1 Contact Form 2024-11-21 4.9 Medium
The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack
CVE-2021-24688 1 Orange-form Project 1 Orange-form 2024-11-21 4.3 Medium
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated and authenticated users could allow attackers to delete arbitrary posts.The AJAX calls performing actions on posts also do not ensure that the post belong to them (or that they are allowed to perform such action on it)
CVE-2021-24687 1 Webnus 1 Modern Events Calendar Lite 2024-11-21 4.8 Medium
The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24686 1 Benbodhi 1 Svg Support 2024-11-21 4.8 Medium
The SVG Support WordPress plugin before 2.3.20 does not escape the "CSS Class to target" setting before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24685 1 Flat Preloader Project 1 Flat Preloader 2024-11-21 5.4 Medium
The Flat Preloader WordPress plugin before 1.5.4 does not enforce nonce checks when saving its settings, as well as does not sanitise and escape them, which could allow attackers to a make logged in admin change them with a Cross-Site Scripting payload (triggered either in the frontend or backend depending on the payload)
CVE-2021-24684 1 Teamlead 1 Pdf-light-viewer 2024-11-21 8.8 High
The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript.
CVE-2021-24683 1 Awplife 1 Weather Effect 2024-11-21 5.4 Medium
The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.
CVE-2021-24682 1 Wpkube 1 Cool Tag Cloud 2024-11-21 5.4 Medium
The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
CVE-2021-24681 1 Duplicatepro 1 Duplicate Page 2024-11-21 4.8 Medium
The Duplicate Page WordPress plugin through 4.4.2 does not sanitise or escape the Duplicate Post Suffix settings before outputting it, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24680 1 Wptravelengine 1 Wp Travel Engine 2024-11-21 5.4 Medium
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed
CVE-2021-24679 1 Coinmarketstats 1 Bitcoin \/ Altcoin Payment Gateway For Woocommerce 2024-11-21 6.1 Medium
The Bitcoin / AltCoin Payment Gateway for WooCommerce WordPress plugin before 1.6.1 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24678 1 Cminds 1 Tooltip Glossary 2024-11-21 5.4 Medium
The CM Tooltip Glossary WordPress plugin before 3.9.21 does not escape some glossary_tooltip shortcode attributes, which could allow users a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVE-2021-24677 1 Find My Blocks Project 1 Find My Blocks 2024-11-21 5.3 Medium
The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles.
CVE-2021-24676 1 Codesolz 1 Better Find And Replace 2024-11-21 6.1 Medium
The Better Find and Replace WordPress plugin before 1.2.9 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue
CVE-2021-24675 1 Onedesigns 1 One User Avatar 2024-11-21 6.5 Medium
The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack
CVE-2021-24674 1 Genie Wp Favicon Project 1 Genie Wp Favicon 2024-11-21 6.5 Medium
The Genie WP Favicon WordPress plugin through 0.5.2 does not have CSRF in place when updating the favicon, which could allow attackers to make a logged in admin change it via a CSRF attack
CVE-2021-24673 1 Dwbooster 1 Appointment Hour Booking 2024-11-21 4.8 Medium
The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
CVE-2021-24672 1 Onedesigns 1 One User Avatar 2024-11-21 5.4 Medium
The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
CVE-2021-24671 1 Mx Time Zone Clocks Project 1 Mx Time Zone Clocks 2024-11-21 5.4 Medium
The MX Time Zone Clocks WordPress plugin before 3.4.1 does not escape the time_zone attribute of the mxmtzc_time_zone_clocks shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks