Total
41385 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24796 | 1 My Tickets Project | 1 My Tickets | 2024-11-21 | 6.1 Medium |
| The My Tickets WordPress plugin before 1.8.31 does not properly sanitise and escape the Email field of booked tickets before outputting it in the Payment admin dashboard, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins | ||||
| CVE-2021-24794 | 1 Connections-pro | 1 Connections Business Directory | 2024-11-21 | 4.8 Medium |
| The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24793 | 1 Etruel | 1 Wpematico Rss Feed Fetcher | 2024-11-21 | 4.8 Medium |
| The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24792 | 1 Wpeden | 1 Shiny Buttons | 2024-11-21 | 6.1 Medium |
| The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and escape them before outputting them in the admin dashboard, which allow unauthenticated users to add a malicious template and lead to Stored Cross-Site Scripting issues. | ||||
| CVE-2021-24789 | 1 Flat Preloader Project | 1 Flat Preloader | 2024-11-21 | 4.8 Medium |
| The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | ||||
| CVE-2021-24787 | 1 Webventures | 1 Client Invoicing By Sprout Invoices | 2024-11-21 | 4.8 Medium |
| The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24785 | 1 Great-quotes Project | 1 Great-quotes | 2024-11-21 | 4.8 Medium |
| The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | ||||
| CVE-2021-24782 | 1 Flex Local Fonts Project | 1 Flex Local Fonts | 2024-11-21 | 4.8 Medium |
| The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24771 | 1 Inspirational Quote Rotator Project | 1 Inspirational Quote Rotator | 2024-11-21 | 4.8 Medium |
| The Inspirational Quote Rotator WordPress plugin through 1.0.0 does not sanitize and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the "Quotes list" even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24768 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 4.8 Medium |
| The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues. | ||||
| CVE-2021-24765 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 6.1 Medium |
| The Perfect Survey WordPress plugin through 1.5.2 does not validate and escape the X-Forwarded-For header value before outputting it in the statistic page when the Anonymize IP setting of a survey is turned off, leading to a Stored Cross-Site Scripting issue | ||||
| CVE-2021-24764 | 1 Getperfectsurvey | 1 Perfect Survey | 2024-11-21 | 6.1 Medium |
| The Perfect Survey WordPress plugin before 1.5.2 does not sanitise and escape multiple parameters (id and filters[session_id] of single_statistics page, type and message of importexport page) before outputting them back in pages/attributes in the admin dashboard, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24760 | 1 Pdf Viewer Block For Gutenberg Project | 1 Pdf Viewer Block For Gutenberg | 2024-11-21 | 5.4 Medium |
| The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24759 | 1 Pdf.js Viewer Project | 1 Pdf.js Viewer | 2024-11-21 | 5.4 Medium |
| The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks | ||||
| CVE-2021-24756 | 1 Wp System Log Project | 1 Wp System Log | 2024-11-21 | 6.1 Medium |
| The WP System Log WordPress plugin before 1.0.21 does not sanitise, validate and escape the IP address retrieved from login requests before outputting them in the admin dashboard, which could allow unauthenticated attacker to perform Cross-Site Scripting attacks against admins viewing the logs. | ||||
| CVE-2021-24751 | 1 Generateblocks | 1 Generateblocks | 2024-11-21 | 5.4 Medium |
| The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24746 | 1 Heateor | 1 Sassy Social Share | 2024-11-21 | 6.1 Medium |
| The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is the default setting), leading to a Reflected Cross-Site Scripting issue. | ||||
| CVE-2021-24745 | 1 Wpkube | 1 About Author Box | 2024-11-21 | 5.4 Medium |
| The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24744 | 1 Cimatti | 1 Contact Forms | 2024-11-21 | 4.8 Medium |
| The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | ||||
| CVE-2021-24743 | 1 Secondlinethemes | 1 Podcast Subscribe Buttons | 2024-11-21 | 5.4 Medium |
| The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS. | ||||