Export limit exceeded: 343523 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343523 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-4415 | 1 Sunshinephotocart | 1 Sunshine Photo Cart | 2026-04-08 | 4.3 Medium |
| The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.28 This is due to missing or incorrect nonce validation on the sunshine_products_quicksave_post() function. This makes it possible for unauthenticated attackers to save custom post data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2021-4414 | 1 Tychesoftwares | 1 Abandoned Cart Lite For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.5. This is due to missing or incorrect nonce validation on the wcal_preview_emails() function. This makes it possible for unauthenticated attackers to generate email preview templates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2021-4413 | 1 Coolplugins | 1 Process Steps Template Designer | 2026-04-08 | 4.3 Medium |
| The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save field icons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2021-4412 | 1 Goprayer | 1 Wp Prayer | 2026-04-08 | 4.3 Medium |
| The WP Prayer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5. This is due to missing or incorrect nonce validation on the save() and export() functions. This makes it possible for unauthenticated attackers to save plugin settings and trigger a data export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2021-4411 | 1 Wpeasypay | 1 Wp Easypay | 2026-04-08 | 4.3 Medium |
| The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the wpep_download_transaction_in_excel() function. This makes it possible for unauthenticated attackers to trigger a transactions download via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2021-4383 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2026-04-08 | 8.1 High |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to page content injection in versions up to, and including, 5.5. This is due to missing capability checks in the plugin's page-editing functionality. This makes it possible for low-authenticated attackers, such as subscribers, to edit/create any page or post on the blog. | ||||
| CVE-2021-4382 | 1 Recently Project | 1 Recently | 2026-04-08 | 8.8 High |
| The Recently plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the fetch_external_image() function in versions up to, and including, 3.0.4. This makes it possible for authenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2021-4381 | 1 Stylemixthemes | 1 Ulisting | 2026-04-08 | 9.8 Critical |
| The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database. | ||||
| CVE-2021-4380 | 1 Valvepress | 1 Pinterest Automatic Pin | 2026-04-08 | 9.8 Critical |
| The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors. | ||||
| CVE-2021-4379 | 1 Villatheme | 1 Woocommerce Multi Currency | 2026-04-08 | 6.5 Medium |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmc_bulk_fixed_price function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to make changes to product prices. | ||||
| CVE-2021-4378 | 1 Webdevocean | 1 Wp Quick Frontend Editor | 2026-04-08 | 6.4 Medium |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with minimal permissions like subscribers, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2021-4377 | 1 Wobbie | 1 Doneren Met Mollie | 2026-04-08 | 6.5 Medium |
| The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors. | ||||
| CVE-2021-4376 | 1 Palscode | 1 Woocommerce Multi Currency | 2026-04-08 | 4.3 Medium |
| The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value. | ||||
| CVE-2021-4375 | 1 Welcart | 1 Welcart E-commerce | 2026-04-08 | 4.3 Medium |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and server settings. | ||||
| CVE-2021-4374 | 1 Valvepress | 1 Wordpress Automatic Plugin | 2026-04-08 | 9.1 Critical |
| The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site. | ||||
| CVE-2021-4373 | 1 Webberzone | 1 Better Search | 2026-04-08 | 8.8 High |
| The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2021-4372 | 1 Rightpress | 1 Woocommerce Dynamic Pricing And Discounts | 2026-04-08 | 6.5 Medium |
| The WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.4.1. This is due to missing sanitization on the settings imported via the import() function. This makes it possible for unauthenticated attackers to import a settings file containing malicious JavaScript that would execute when an administrator accesses the settings area of the site. | ||||
| CVE-2021-4371 | 1 Pluginmirror | 1 Wp Quick Frontend Editor | 2026-04-08 | 4.3 Medium |
| The WP Quick FrontEnd Editor plugin for WordPress is vulnerable to Setting Changs in versions up to, and including, 5.5. This is due to lacking both a security nonce and a capabilities check. This makes it possible for low-authenticated attackers to change plugin settings even when they do not have the capabilities to do so. | ||||
| CVE-2021-4370 | 1 Stylemixthemes | 1 Ulisting | 2026-04-08 | 9.8 Critical |
| The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection. | ||||
| CVE-2021-4369 | 1 Najeebmedia | 1 Frontend File Manager Plugin | 2026-04-08 | 5.8 Medium |
| The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Content Injection in versions up to, and including, 18.2. This is due to lacking authorization protections, checks against users editing other's posts, and lacking a security nonce, all on the wpfm_edit_file_title_desc AJAX action. This makes it possible for unauthenticated attackers to edit the content and title of every page on the site. | ||||