Total
41384 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24738 | 1 Shapedplugin | 1 Logo Carousel | 2024-11-21 | 5.4 Medium |
| The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2021-24737 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | 4.8 Medium |
| The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24736 | 1 Tammersoft | 1 Shared Files | 2024-11-21 | 4.8 Medium |
| The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues. | ||||
| CVE-2021-24734 | 1 Tipsandtricks-hq | 1 Compact Wp Audio Player | 2024-11-21 | 5.4 Medium |
| The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2021-24732 | 1 Dearhive | 1 Dearflip | 2024-11-21 | 5.4 Medium |
| The PDF Flipbook, 3D Flipbook WordPress – DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2021-24729 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 5.4 Medium |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase. | ||||
| CVE-2021-24724 | 1 Motopress | 1 Timetable And Event Schedule | 2024-11-21 | 5.4 Medium |
| The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s | ||||
| CVE-2021-24723 | 1 Wpreactions | 1 Wp Reactions Lite | 2024-11-21 | 5.4 Medium |
| The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages. | ||||
| CVE-2021-24722 | 1 Motopress | 1 Restaurant Menu | 2024-11-21 | 4.8 Medium |
| The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24720 | 1 Ayecode | 1 Geodirectory | 2024-11-21 | 5.4 Medium |
| The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS). | ||||
| CVE-2021-24719 | 1 Kriesi | 1 Enfold | 2024-11-21 | 6.1 Medium |
| The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder. | ||||
| CVE-2021-24718 | 1 Reputeinfosystems | 1 Contact Form\, Survey \& Popup Form Plugin For Wordpress - Arforms Form Builder | 2024-11-21 | 4.8 Medium |
| The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24716 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 5.4 Medium |
| The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin. | ||||
| CVE-2021-24715 | 1 Wp Sitemap Page Project | 1 Wp Sitemap Page | 2024-11-21 | 4.8 Medium |
| The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24714 | 1 Soflyy | 1 Wp All Import | 2024-11-21 | 4.8 Medium |
| The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24712 | 1 Dwbooster | 1 Appointment Hour Booking | 2024-11-21 | 5.4 Medium |
| The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars. | ||||
| CVE-2021-24710 | 1 Print-o-matic Project | 1 Print-o-matic | 2024-11-21 | 4.8 Medium |
| The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24709 | 1 Awplife | 1 Weather Effect | 2024-11-21 | 4.8 Medium |
| The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues | ||||
| CVE-2021-24708 | 1 Wp All Export Project | 1 Wp All Export | 2024-11-21 | 4.8 Medium |
| The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24707 | 1 Nd-learning Project | 1 Nd-learning | 2024-11-21 | 4.8 Medium |
| The Learning Courses WordPress plugin before 5.0 does not sanitise and escape the Email PDT identity token settings, which could allow high privilege users to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||