Export limit exceeded: 45652 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45652 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24503 | 1 Thememason | 1 Popular Brand Icons - Simple Icons | 2024-11-21 | 5.4 Medium |
| The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | ||||
| CVE-2021-24498 | 1 Dwbooster | 1 Calendar Event Multi View | 2024-11-21 | 6.1 Medium |
| The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue. | ||||
| CVE-2021-24496 | 1 Community Events Project | 1 Community Events | 2024-11-21 | 6.1 Medium |
| The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | ||||
| CVE-2021-24495 | 1 Marmoset | 1 Marmoset Viewer | 2024-11-21 | 6.1 Medium |
| The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue. | ||||
| CVE-2021-24494 | 1 Deliciousbrains | 1 Wp Offload Ses Lite | 2024-11-21 | 5.4 Medium |
| The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin. | ||||
| CVE-2021-24489 | 1 Emarketdesign | 1 Request A Quote | 2024-11-21 | 4.8 Medium |
| The Request a Quote WordPress plugin before 2.3.9 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed. | ||||
| CVE-2021-24488 | 1 Pickplugins | 1 Post Grid | 2024-11-21 | 6.1 Medium |
| The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues | ||||
| CVE-2021-24487 | 1 Sanskruti | 1 St-daily-tip | 2024-11-21 | 8.8 High |
| The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue | ||||
| CVE-2021-24486 | 1 Wpbrigade | 1 Simple Social Media Share Buttons | 2024-11-21 | 5.4 Medium |
| The Simple Social Media Share Buttons – Social Sharing for Everyone WordPress plugin before 3.2.3 did not escape the align and like_button_size parameters of its SSB shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2021-24485 | 1 Wp-special-textboxes Project | 1 Wp-special-textboxes | 2024-11-21 | 4.8 Medium |
| The Special Text Boxes WordPress plugin before 5.9.110 does not sanitise or escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. | ||||
| CVE-2021-24482 | 1 Never5 | 1 Related Posts | 2024-11-21 | 4.8 Medium |
| The Related Posts for WordPress plugin through 2.0.4 does not sanitise its heading_text and CSS settings, allowing high privilege users (admin) to set XSS payloads in them, leading to Stored Cross-Site Scripting issues. | ||||
| CVE-2021-24481 | 1 Any Hostname Project | 1 Any Hostname | 2024-11-21 | 4.8 Medium |
| The Any Hostname WordPress plugin through 1.0.6 does not sanitise or escape its "Allowed hosts" setting, leading to an authenticated stored XSS issue as high privilege users are able to set XSS payloads in it | ||||
| CVE-2021-24480 | 1 Event Geek Project | 1 Event Geek | 2024-11-21 | 4.8 Medium |
| The Event Geek WordPress plugin through 2.5.2 does not sanitise or escape its "Use your own " setting before outputting it in the page, leading to an authenticated (admin+) stored Cross-Site Scripting issue | ||||
| CVE-2021-24479 | 1 Drawblog Project | 1 Drawblog | 2024-11-21 | 4.8 Medium |
| The DrawBlog WordPress plugin through 0.90 does not sanitise or validate some of its settings before outputting them back in the page, leading to an authenticated stored Cross-Site Scripting issue | ||||
| CVE-2021-24478 | 1 Bookshelf Project | 1 Bookshelf | 2024-11-21 | 5.4 Medium |
| The Bookshelf WordPress plugin through 2.0.4 does not sanitise or escape its "Paypal email address" setting before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue | ||||
| CVE-2021-24477 | 1 Migrate Users Project | 1 Migrate Users | 2024-11-21 | 6.1 Medium |
| The Migrate Users WordPress plugin through 1.0.1 does not sanitise or escape its Delimiter option before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its options, allowing the issue to be exploited via a CSRF attack. | ||||
| CVE-2021-24476 | 1 Steam Group Viewer Project | 1 Steam Group Viewer | 2024-11-21 | 5.4 Medium |
| The Steam Group Viewer WordPress plugin through 2.1 does not sanitise or escape its "Steam Group Address" settings before outputting it in the page, leading to an authenticated Stored Cross-Site Scripting issue | ||||
| CVE-2021-24474 | 1 Awesome Weather Widget Project | 1 Awesome Weather Widget | 2024-11-21 | 6.1 Medium |
| The Awesome Weather Widget WordPress plugin through 3.0.2 does not sanitize the id parameter of its awesome_weather_refresh AJAX action, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) Vulnerability. | ||||
| CVE-2021-24471 | 1 Youtube Embed Project | 1 Youtube Embed | 2024-11-21 | 5.4 Medium |
| The YouTube Embed WordPress plugin before 5.2.2 does not validate, escape or sanitise some of its shortcode attributes, leading to Stored XSS issues by 1. using w, h, controls, cc_lang, color, language, start, stop, or style parameter of youtube shortcode, 2. by using style, class, rel, target, width, height, or alt parameter of youtube_thumb shortcode, or 3. by embedding a video whose title or description contains XSS payload (if API key is configured). | ||||
| CVE-2021-24470 | 1 Yada Wiki Project | 1 Yada Wiki | 2024-11-21 | 5.4 Medium |
| The Yada Wiki WordPress plugin before 3.4.1 did not sanitise, validate or escape the anchor attribute of its shortcode, leading to a Stored Cross-Site Scripting issue | ||||