Filtered by vendor Themeum
Subscriptions
Total
41 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24207 | 1 Themeum | 1 Wp Page Builder | 2024-08-03 | 4.3 Medium |
| By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages. | ||||
| CVE-2021-24208 | 1 Themeum | 1 Wp Page Builder | 2024-08-03 | 5.4 Medium |
| The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action. It is also possible to insert malicious JavaScript via the “wppb_page_css” parameter (this can be done by closing out the style tag and opening a script tag) when performing the “wppb_page_save” AJAX action. | ||||
| CVE-2021-24182 | 1 Themeum | 1 Tutor Lms | 2024-08-03 | 6.5 Medium |
| The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | ||||
| CVE-2021-24181 | 1 Themeum | 1 Tutor Lms | 2024-08-03 | 6.5 Medium |
| The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | ||||
| CVE-2021-24183 | 1 Themeum | 1 Tutor Lms | 2024-08-03 | 6.5 Medium |
| The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | ||||
| CVE-2021-24185 | 1 Themeum | 1 Tutor Lms | 2024-08-03 | 6.5 Medium |
| The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students. | ||||
| CVE-2021-24186 | 1 Themeum | 1 Tutor Lms | 2024-08-03 | 6.5 Medium |
| The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students. | ||||
| CVE-2022-3830 | 1 Themeum | 1 Wp Page Builder | 2024-08-03 | 4.8 Medium |
| The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2022-2563 | 1 Themeum | 1 Tutor Lms | 2024-08-03 | 4.8 Medium |
| The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-50859 | 1 Themeum | 1 Wp Crowdfunding | 2024-08-02 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum WP Crowdfunding allows Stored XSS.This issue affects WP Crowdfunding: from n/a through 2.1.6. | ||||
| CVE-2023-49829 | 1 Themeum | 1 Tutor Lms | 2024-08-02 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS – eLearning and online course solution allows Stored XSS.This issue affects Tutor LMS – eLearning and online course solution: from n/a through 2.2.4. | ||||
| CVE-2023-47532 | 1 Themeum | 1 Wp Crowdfunding | 2024-08-02 | 5.8 Medium |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Themeum WP Crowdfunding plugin <= 2.1.6 versions. | ||||
| CVE-2024-37256 | 1 Themeum | 1 Tutor Lms | 2024-08-02 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.1. | ||||
| CVE-2023-6163 | 1 Themeum | 1 Wp Crowdfunding | 2024-08-02 | 4.8 Medium |
| The WP Crowdfunding WordPress plugin before 2.1.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-6161 | 1 Themeum | 1 Wp Crowdfunding | 2024-08-02 | 6.1 Medium |
| The WP Crowdfunding WordPress plugin before 2.1.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-5757 | 1 Themeum | 1 Wp Crowdfunding | 2024-08-02 | 4.8 Medium |
| The WP Crowdfunding WordPress plugin before 2.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-4805 | 1 Themeum | 1 Tutor Lms | 2024-08-02 | 5.4 Medium |
| The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2023-3133 | 1 Themeum | 1 Tutor Lms | 2024-08-02 | 7.5 High |
| The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available. | ||||
| CVE-2023-0376 | 1 Themeum | 1 Qubely | 2024-08-02 | 5.4 Medium |
| The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2023-0236 | 1 Themeum | 1 Tutor Lms | 2024-08-02 | 6.1 Medium |
| The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||