Total
6084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24853 | 1 Qr Redirector Project | 1 Qr Redirector | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The QR Redirector WordPress plugin before 1.6 does not have capability and CSRF checks when saving bulk QR Redirector settings via the qr_save_bulk AJAX action, which could allow any authenticated user, such as subscriber to change the redirect response status code of arbitrary QR Redirects | |||||
| CVE-2021-24852 | 1 Mousewheel Smooth Scroll Project | 1 Mousewheel Smooth Scroll | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The MouseWheel Smooth Scroll WordPress plugin before 5.7 does not have CSRF check in place on its settings page, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2021-24843 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The SupportCandy WordPress plugin before 2.2.7 does not have CRSF check in its wpsc_tickets AJAX action, which could allow attackers to make a logged in admin call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. | |||||
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | |||||
| CVE-2021-24832 | 1 Wp Seo Redirect 301 Project | 1 Wp Seo Redirect 301 | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack | |||||
| CVE-2021-24823 | 1 Schiocco | 1 Support Board | 2024-11-21 | 4.9 MEDIUM | 8.1 HIGH |
| The Support Board WordPress plugin before 3.3.6 does not have any CSRF checks in actions handled by the include/ajax.php file, which could allow attackers to make logged in users do unwanted actions. For example, make an admin delete arbitrary files | |||||
| CVE-2021-24822 | 1 Stylishcostcalculator | 1 Stylish Cost Calculator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters | |||||
| CVE-2021-24818 | 1 Wp Limits Project | 1 Wp Limits | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting low values | |||||
| CVE-2021-24809 | 1 Wordplus | 1 Better Messages | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions | |||||
| CVE-2021-24806 | 1 Gvectors | 1 Wpdiscuz | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment. | |||||
| CVE-2021-24805 | 1 Designwall | 1 Dw Question \& Answer | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as update a comment or a question status. | |||||
| CVE-2021-24804 | 1 Simple Jwt Login Project | 1 Simple Jwt Login | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover. | |||||
| CVE-2021-24803 | 1 Core Tweaks Wp Setup Project | 1 Core Tweaks Wp Setup | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks | |||||
| CVE-2021-24802 | 1 Gesundheit-bewegt | 1 Colorful Categories | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack | |||||
| CVE-2021-24801 | 1 Wp Survey Plus Project | 1 Wp Survey Plus | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The WP Survey Plus WordPress plugin through 1.0 does not have any authorisation and CSRF checks in place in its AJAX actions, allowing any user to call them and add/edit/delete Surveys. Furthermore, due to the lack of sanitization in the Surveys' Title, this could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24799 | 1 Tipsandtricks-hq | 1 Far Future Expiry Header | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Far Future Expiry Header WordPress plugin before 1.5 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | |||||
| CVE-2021-24795 | 1 Phoeniixx | 1 Filter Portfolio Gallery | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbitrary Gallery. | |||||
| CVE-2021-24790 | 1 Contact Form Advanced Database Project | 1 Contact Form Advanced Database | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated. | |||||
| CVE-2021-24784 | 1 Wp Admin Logo Changer Project | 1 Wp Admin Logo Changer | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Admin Logo Changer WordPress plugin through 1.0 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin update them via a CSRF attack. | |||||
| CVE-2021-24780 | 1 Single Post Exporter Project | 1 Single Post Exporter | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Single Post Exporter WordPress plugin through 1.1.1 does not have CSRF checks when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and give access to the export feature to any role such as subscriber. Subscriber users would then be able to export an arbitrary post/page (such as private and password protected) via a direct URL | |||||