Total
41354 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24616 | 1 Addtoany | 1 Addtoany Share Buttons | 2024-11-21 | 4.8 Medium |
| The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24615 | 1 Wechat Reward Project | 1 Wechat Reward | 2024-11-21 | 5.4 Medium |
| The Wechat Reward WordPress plugin through 1.7 does not sanitise or escape its QR settings, nor has any CSRF check in place, allowing attackers to make a logged in admin change the settings and perform Cross-Site Scripting attacks. | ||||
| CVE-2021-24614 | 1 Oz-plugin | 1 Book Appointment Online | 2024-11-21 | 4.8 Medium |
| The Book appointment online WordPress plugin before 1.39 does not sanitise or escape Service Prices before outputting it in the List, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24613 | 1 Dfactory | 1 Post Views Counter | 2024-11-21 | 4.8 Medium |
| The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24612 | 1 Sociable Project | 1 Sociable | 2024-11-21 | 4.8 Medium |
| The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24611 | 1 Keyword Meta Project | 1 Keyword Meta | 2024-11-21 | 5.4 Medium |
| The Keyword Meta WordPress plugin through 3.0 does not sanitise of escape its settings before outputting them back in the page after they are saved, allowing for Cross-Site Scripting issues. Furthermore, it is also lacking any CSRF check, allowing attacker to make a logged in high privilege user save arbitrary setting via a CSRF attack. | ||||
| CVE-2021-24610 | 1 Cozmoslabs | 1 Translatepress | 2024-11-21 | 4.8 Medium |
| The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues. | ||||
| CVE-2021-24609 | 1 Wp Mapa Politico Espana Project | 1 Wp Mapa Politico Espana | 2024-11-21 | 4.8 Medium |
| The WP Mapa Politico Espana WordPress plugin before 3.7.0 does not sanitise or escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | ||||
| CVE-2021-24608 | 1 Strategy11 | 1 Formidable Form Builder | 2024-11-21 | 4.8 Medium |
| The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24607 | 1 Wooassist | 1 Storefront Footer Text | 2024-11-21 | 4.8 Medium |
| The Storefront Footer Text WordPress plugin through 1.0.1 does not sanitize and escape the "Footer Credit Text" added to pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered-html capability is disallowed. | ||||
| CVE-2021-24605 | 1 Custom Post View Generator Project | 1 Custom Post View Generator | 2024-11-21 | 5.4 Medium |
| The create_post_page AJAX action of the Custom Post View Generator WordPress plugin through 0.4.6 (available to authenticated user) does not sanitise or escape user input before outputting it back in the response, leading to a Reflected Cross-Site issue | ||||
| CVE-2021-24604 | 1 Offshorewebmaster | 1 Availability Calendar | 2024-11-21 | 4.8 Medium |
| The Availability Calendar WordPress plugin before 1.2.2 does not sanitise or escape its Category Names before outputting them in page/post where the associated shortcode is embed, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | ||||
| CVE-2021-24603 | 1 Geminilabs | 1 Site Reviews | 2024-11-21 | 5.4 Medium |
| The Site Reviews WordPress plugin before 5.13.1 does not sanitise some of its Review Details when adding a review as an admin, which could allow them to perform Cross-Site Scripting attacks when the unfiltered_html is disallowed | ||||
| CVE-2021-24601 | 1 Wpfront | 1 Wpfront Notification Bar | 2024-11-21 | 5.4 Medium |
| The WPFront Notification Bar WordPress plugin before 2.1.0.08087 does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24600 | 1 Wp Dialog Project | 1 Wp Dialog | 2024-11-21 | 4.8 Medium |
| The WP Dialog WordPress plugin through 1.2.5.5 does not sanitise and escape some of its settings before outputting them in pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24599 | 1 Wp-webhooks | 1 Email Encoder | 2024-11-21 | 6.1 Medium |
| The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data. | ||||
| CVE-2021-24598 | 1 Wpshopmart | 1 Testimonial Builder | 2024-11-21 | 4.8 Medium |
| The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24597 | 1 You-shang Project | 1 You-shang | 2024-11-21 | 5.4 Medium |
| The You Shang WordPress plugin through 1.0.1 does not escape its qrcode links settings, which result into Stored Cross-Site Scripting issues in frontend posts and the plugins settings page depending on the payload used | ||||
| CVE-2021-24596 | 1 Itservicejung | 1 Youforms-free-for-copecart | 2024-11-21 | 4.8 Medium |
| The youForms for WordPress plugin through 1.0.5 does not sanitise escape the Button Text field of its Templates, allowing high privilege users (editors and admins) to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
| CVE-2021-24595 | 1 Wp Cookie Choice Project | 1 Wp Cookie Choice | 2024-11-21 | 6.5 Medium |
| The Wp Cookie Choice WordPress plugin through 1.1.0 is lacking any CSRF check when saving its options, and do not escape them when outputting them in attributes. As a result, an attacker could make a logged in admin change them to arbitrary values including XSS payloads via a CSRF attack. | ||||