Total
41393 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24939 | 1 Profilepress | 1 Loginwp | 2024-11-21 | 6.1 Medium |
| The LoginWP (Formerly Peter's Login Redirect) WordPress plugin before 3.0.0.5 does not sanitise and escape the rul_login_url and rul_logout_url parameter before outputting them back in attributes in an admin page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2024-11-21 | 6.1 Medium |
| The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | ||||
| CVE-2021-24937 | 1 Asset Cleanup\ | 1 Page Speed Booster Project | 2024-11-21 | 6.1 Medium |
| The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 does not escape the wpacu_selected_sub_tab_area parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24935 | 1 Wp Google Fonts Project | 1 Wp Google Fonts | 2024-11-21 | 6.1 Medium |
| The WP Google Fonts WordPress plugin before 3.1.5 does not escape the googlefont_ajax_name and googlefont_ajax_family parameter of the googlefont_action AJAx action (available to any authenticated user) before outputing them in attributes, leading Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24934 | 1 Yellowpencil | 1 Visual Css Style Editor | 2024-11-21 | 6.1 Medium |
| The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24933 | 1 Bootstrapped | 1 Dynamic Widgets | 2024-11-21 | 5.4 Medium |
| The Dynamic Widgets WordPress plugin through 1.5.16 does not escape the prefix parameter before outputting it back in an attribute when using the term_tree AJAX action (available to any authenticated users), leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24932 | 1 Cm-wp | 1 Auto Featured Image | 2024-11-21 | 6.1 Medium |
| The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.3 does not sanitise and escape the post_id parameter before outputting back in an admin page within a JS block, leading to a Reflected Cross-Site Scripting issue. | ||||
| CVE-2021-24930 | 1 Booking-wp-plugin | 1 Bookly | 2024-11-21 | 5.4 Medium |
| The WordPress Online Booking and Scheduling Plugin WordPress plugin before 20.3.1 does not escape the Staff Full Name field before outputting it back in a page, which could lead to a Stored Cross-Site Scripting issue | ||||
| CVE-2021-24927 | 1 My Calendar Project | 1 My Calendar | 2024-11-21 | 5.4 Medium |
| The My Calendar WordPress plugin before 3.2.18 does not sanitise and escape the callback parameter of the mc_post_lookup AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24926 | 1 Domaincheckplugin | 1 Domain Check | 2024-11-21 | 6.1 Medium |
| The Domain Check WordPress plugin before 1.0.17 does not sanitise and escape the domain parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24925 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 6.1 Medium |
| The Modern Events Calendar Lite WordPress plugin before 6.1.5 does not sanitise and escape the current_month_divider parameter of its mec_list_load_more AJAX call (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24924 | 1 Email Log Project | 1 Email Log | 2024-11-21 | 6.1 Medium |
| The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24923 | 1 Brevo | 1 Newsletter\, Smtp\, Email Marketing And Subscribe | 2024-11-21 | 6.1 Medium |
| The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.25 does not escape the sib-statistics-date parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24921 | 1 Sigmaplugin | 1 Advanced Database Cleaner | 2024-11-21 | 6.1 Medium |
| The Advanced Database Cleaner WordPress plugin before 3.0.4 does not sanitise and escape $_GET keys and values before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24920 | 1 Statcounter | 1 Statcounter | 2024-11-21 | 4.8 Medium |
| The StatCounter WordPress plugin before 2.0.7 does not sanitise and escape the Project ID and Secure Code settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24918 | 1 Smashballoon | 1 Smash Balloon Social Post Feed | 2024-11-21 | 5.4 Medium |
| The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages. | ||||
| CVE-2021-24912 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | 5.4 Medium |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not have CSRF check in its tp_translation AJAX action, which could allow attackers to make authorised users add a translation. Given the lack of sanitisation in the tk0 parameter, this could lead to a Stored Cross-Site Scripting issue which will be executed in the context of a logged in admin | ||||
| CVE-2021-24911 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | 5.4 Medium |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which will trigger in the admin dashboard of the plugin. The minimum role needed to perform such attack depends on the plugin "Who can translate ?" setting. | ||||
| CVE-2021-24910 | 1 Transposh | 1 Transposh Wordpress Translation | 2024-11-21 | 6.1 Medium |
| The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the curl library is installed) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue | ||||
| CVE-2021-24909 | 1 Navz | 1 Acf Photo Gallery Field | 2024-11-21 | 6.1 Medium |
| The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue | ||||