Total
41277 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24169 | 1 Algolplus | 1 Advanced Order Export For Woocommerce | 2024-11-21 | 6.1 Medium |
| This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. | ||||
| CVE-2021-24168 | 1 Easy Contact Form Pro Project | 1 Easy Contact Form Pro | 2024-11-21 | 5.4 Medium |
| The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authenticated (author+) stored cross-site scripting issue. This could allow medium privilege accounts (such as author and editor) to perform XSS attacks against high privilege ones like administrator. | ||||
| CVE-2021-24157 | 1 Themeisle | 1 Orbit Fox | 2024-11-21 | 5.4 Medium |
| Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious. | ||||
| CVE-2021-24156 | 1 Testimonial Rotator Project | 1 Testimonial Rotator | 2024-11-21 | 5.4 Medium |
| Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. This could lead to privilege escalation | ||||
| CVE-2021-24153 | 1 Yoast | 1 Yoast Seo | 2024-11-21 | 5.4 Medium |
| A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several functions such as alert but bypasses were found. | ||||
| CVE-2021-24152 | 1 Sygnoos | 1 Popup Builder | 2024-11-21 | 6.1 Medium |
| The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. | ||||
| CVE-2021-24147 | 1 Webnus | 1 Modern Events Calendar Lite | 2024-11-21 | 5.4 Medium |
| Unvalidated input and lack of output encoding in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not sanitise the mic_comment field (Notes on time) when adding/editing an event, allowing users with privilege as low as author to add events with a Cross-Site Scripting payload in them, which will be triggered in the frontend when viewing the event. | ||||
| CVE-2021-24136 | 1 Axelerant | 1 Testimonials Widget | 2024-11-21 | 5.4 Medium |
| Unvalidated input and lack of output encoding in the Testimonials Widget WordPress plugin, versions before 4.0.0, lead to multiple Cross-Site Scripting vulnerabilities, allowing remote attackers to inject arbitrary JavaScript code or HTML via the below parameters: - Author - Job Title - Location - Company - Email - URL | ||||
| CVE-2021-24135 | 1 Gowebsolutions | 1 Wp Customer Reviews | 2024-11-21 | 6.1 Medium |
| Unvalidated input and lack of output encoding in the WP Customer Reviews WordPress plugin, versions before 3.4.3, lead to multiple Stored Cross-Site Scripting vulnerabilities allowing remote attackers to inject arbitrary JavaScript code or HTML. | ||||
| CVE-2021-24134 | 1 Constantcontact | 1 Constant Contact Forms | 2024-11-21 | 4.8 Medium |
| Unvalidated input and lack of output encoding in the Constant Contact Forms WordPress plugin, versions before 1.8.8, lead to multiple Stored Cross-Site Scripting vulnerabilities, which allowed high-privileged user (Editor+) to inject arbitrary JavaScript code or HTML in posts where the malicious form is embed. | ||||
| CVE-2021-24129 | 1 Themify | 1 Portfolio Post | 2024-11-21 | 5.4 Medium |
| Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation. | ||||
| CVE-2021-24128 | 1 Wpdarko | 1 Team Members | 2024-11-21 | 5.4 Medium |
| Unvalidated input and lack of output encoding in the Team Members WordPress plugin, versions before 5.0.4, lead to Cross-site scripting vulnerabilities allowing medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the 'Description/biography' of a member. | ||||
| CVE-2021-24127 | 1 Caseproof | 1 Thirstyaffiliates Affiliate Link Manager | 2024-11-21 | 5.4 Medium |
| Unvalidated input and lack of output encoding in the ThirstyAffiliates Affiliate Link Manager WordPress plugin, versions before 3.9.3, was vulnerable to authenticated Stored Cross-Site Scripting (XSS), which could lead to privilege escalation. | ||||
| CVE-2021-24126 | 1 Enviragallery | 1 Envira Gallery | 2024-11-21 | 5.4 Medium |
| Unvalidated input and lack of output encoding in the Envira Gallery Lite WordPress plugin, versions before 1.8.3.3, did not properly sanitise the images metadata (namely title) before outputting them in the generated gallery, which could lead to privilege escalation. | ||||
| CVE-2021-24124 | 1 Terryl | 1 Wp Shieldon | 2024-11-21 | 6.1 Medium |
| Unvalidated input and lack of output encoding in the WP Shieldon WordPress plugin, version 1.6.3 and below, leads to Unauthenticated Reflected Cross-Site Scripting (XSS) when the CAPTCHA page is shown could lead to privileged escalation. | ||||
| CVE-2021-24021 | 1 Fortinet | 1 Fortianalyzer | 2024-11-21 | 4.3 Medium |
| An improper neutralization of input vulnerability [CWE-79] in FortiAnalyzer versions 6.4.3 and below, 6.2.7 and below and 6.0.10 and below may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the column settings of Logview in FortiAnalyzer, should the attacker be able to obtain that POST request, via other, hypothetical attacks. | ||||
| CVE-2021-24014 | 1 Fortinet | 1 Fortisandbox | 2024-11-21 | 5.4 Medium |
| Multiple instances of improper neutralization of input during web page generation vulnerabilities in FortiSandbox before 4.0.0 may allow an unauthenticated attacker to perform an XSS attack via specifically crafted request parameters. | ||||
| CVE-2021-23959 | 1 Mozilla | 1 Firefox | 2024-11-21 | 6.1 Medium |
| An XSS bug in internal error pages could have led to various spoofing attacks, including other error pages and the address bar. Note: This issue only affected Firefox for Android. Other operating systems are unaffected. This vulnerability affects Firefox < 85. | ||||
| CVE-2021-23936 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.4 allows XSS via the subject of a task. | ||||
| CVE-2021-23935 | 1 Open-xchange | 1 Open-xchange Appsuite | 2024-11-21 | 6.1 Medium |
| OX App Suite through 7.10.4 allows XSS via an appointment in which the location contains JavaScript code. | ||||