Total
41347 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24421 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-21 | 5.4 Medium |
| The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue | ||||
| CVE-2021-24420 | 1 Emarketdesign | 1 Request A Quote | 2024-11-21 | 5.4 Medium |
| The Request a Quote WordPress plugin before 2.3.4 did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table. | ||||
| CVE-2021-24419 | 1 Wp Youtube Lyte Project | 1 Wp Youtube Lyte | 2024-11-21 | 4.8 Medium |
| The WP YouTube Lyte WordPress plugin before 1.7.16 did not sanitise or escape its lyte_yt_api_key and lyte_notification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues. | ||||
| CVE-2021-24418 | 1 Smooth Scroll Page Up\/down Buttons Project | 1 Smooth Scroll Page Up\/down Buttons | 2024-11-21 | 4.8 Medium |
| The Smooth Scroll Page Up/Down Buttons WordPress plugin through 1.4 does not properly sanitise and validate its psb_positioning settings, allowing high privilege users such as admin to set an XSS payload in it, which will be executed in all pages of the blog | ||||
| CVE-2021-24416 | 1 Bplugins | 1 Streamcast Radio Player | 2024-11-21 | 5.4 Medium |
| The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | ||||
| CVE-2021-24415 | 1 Bplugins | 1 Polo Video Gallery | 2024-11-21 | 5.4 Medium |
| The Polo Video Gallery – Best wordpress video gallery plugin WordPress plugin through 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | ||||
| CVE-2021-24414 | 1 Video Player For Youtube Project | 1 Video Player For Youtube | 2024-11-21 | 5.4 Medium |
| The Video Player for YouTube WordPress plugin before 1.4 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | ||||
| CVE-2021-24413 | 1 Bplugins | 1 Easy Twitter Feed | 2024-11-21 | 5.4 Medium |
| The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | ||||
| CVE-2021-24412 | 1 Bplugins | 1 Html5 Audio Player | 2024-11-21 | 5.4 Medium |
| The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode | ||||
| CVE-2021-24411 | 1 Social Tape Project | 1 Social Tape | 2024-11-21 | 6.1 Medium |
| The Social Tape WordPress plugin through 1.0 does not have CSRF checks in place when saving its settings, and do not sanitise or escape them before outputting them back in the page, leading to a stored Cross-Site Scripting issue via a CSRF attack | ||||
| CVE-2021-24410 | 1 Telugu Bible Verse Daily Project | 1 Telugu Bible Verse Daily | 2024-11-21 | 6.1 Medium |
| The తెలుగు బైబిల్ వచనములు WordPress plugin through 1.0 is lacking any CSRF check when saving its settings and verses, and do not sanitise or escape them when outputting them back in the page. This could allow attackers to make a logged in admin change the settings, as well as add malicious verses containing JavaScript code in them, leading to Stored XSS issues | ||||
| CVE-2021-24409 | 1 Plugin-planet | 1 Prismatic | 2024-11-21 | 6.1 Medium |
| The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | ||||
| CVE-2021-24408 | 1 Plugin-planet | 1 Prismatic | 2024-11-21 | 5.4 Medium |
| The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | ||||
| CVE-2021-24407 | 1 Tielabs | 1 Jannah | 2024-11-21 | 6.1 Medium |
| The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability. | ||||
| CVE-2021-24389 | 1 Chimpgroup | 1 Foodbakery | 2024-11-21 | 6.1 Medium |
| The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. | ||||
| CVE-2021-24388 | 1 E4j | 1 Vikrentcar Car Rental Management System | 2024-11-21 | 5.4 Medium |
| In the VikRentCar Car Rental Management System WordPress plugin before 1.1.7, there is a custom filed option by which we can manage all the fields that the users will have to fill in before saving the order. However, the field name is not sanitised or escaped before being output back in the page, leading to a stored Cross-Site Scripting issue. There is also no CSRF check done before saving the setting, allowing attackers to make a logged in admin set arbitrary Custom Fields, including one with XSS payload in it. | ||||
| CVE-2021-24387 | 1 Contempothemes | 1 Real Estate 7 | 2024-11-21 | 6.1 Medium |
| The WP Pro Real Estate 7 WordPress theme before 3.1.1 did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context | ||||
| CVE-2021-24386 | 1 Kubiq | 1 Wp Svg Images | 2024-11-21 | 5.4 Medium |
| The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended. | ||||
| CVE-2021-24383 | 1 Codecabin | 1 Wp Go Maps | 2024-11-21 | 5.4 Medium |
| The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue | ||||
| CVE-2021-24382 | 1 Nextendweb | 1 Smart Slider | 2024-11-21 | 5.4 Medium |
| The Smart Slider 3 Free and pro WordPress plugins before 3.5.0.9 did not sanitise the Project Name before outputting it back in the page, leading to a Stored Cross-Site Scripting issue. By default, only administrator users could access the affected functionality, limiting the exploitability of the vulnerability. However, some WordPress admins may allow lesser privileged users to access the plugin's functionality, in which case, privilege escalation could be performed. | ||||