Total
6084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24324 | 1 Clogica | 1 All 404 Redirect To Homepage | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF checks in all its settings, allowing attackers to make a logged in user change the plugin's settings. Due to the lack of sanitisation and escaping in some fields, it could also lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-24272 | 1 Codeinitiator | 1 Fitness Calculators | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The fitness calculators WordPress plugin before 1.9.6 add calculators for Water intake, BMI calculator, protein Intake, and Body Fat and was lacking CSRF check, allowing attackers to make logged in users perform unwanted actions, such as change the calculator headers. Due to the lack of sanitisation, this could also lead to a Stored Cross-Site Scripting issue | |||||
| CVE-2021-24251 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator update arbitrary payment history, such as change their status (from pending to completed to example) | |||||
| CVE-2021-24249 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.2 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator export files, which could then be downloaded by the attacker to get access to PII, such as email, home addresses etc | |||||
| CVE-2021-24231 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged administrator disconnect the site from Patreon by visiting a specially crafted link. | |||||
| CVE-2021-24230 | 1 Patreon | 1 Patreon Wordpress | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| The Jetpack Scan team identified a Cross-Site Request Forgery vulnerability in the Patreon WordPress plugin before 1.7.0, allowing attackers to make a logged in user overwrite or create arbitrary user metadata on the victim’s account once visited. If exploited, this bug can be used to overwrite the “wp_capabilities” meta, which contains the affected user account’s roles and privileges. Doing this would essentially lock them out of the site, blocking them from accessing paid content. | |||||
| CVE-2021-24218 | 1 Facebook | 1 Facebook | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection. The settings in the saveFbeSettings function had no sanitization allowing for script tags to be saved. | |||||
| CVE-2021-24179 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11 suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. | |||||
| CVE-2021-24178 | 1 Strategy11 | 1 Business Directory Plugin - Easy Listing Directories | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The Business Directory Plugin – Easy Listing Directories for WordPress WordPress plugin before 5.11.1 suffered from Cross-Site Request Forgery issues, allowing an attacker to make a logged in administrator add, edit or delete form fields, which could also lead to Stored Cross-Site Scripting issues. | |||||
| CVE-2021-24174 | 1 Database-backups Project | 1 Database-backups | 2024-11-21 | 5.8 MEDIUM | 8.1 HIGH |
| The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plugin's settings and delete backups. | |||||
| CVE-2021-24173 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site Scripting issue. | |||||
| CVE-2021-24172 | 1 Vm Backups Project | 1 Vm Backups | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . | |||||
| CVE-2021-24166 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.8 MEDIUM | 5.4 MEDIUM |
| The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers to craft a request to disconnect a site's OAuth connection. | |||||
| CVE-2021-24162 | 1 Expresstech | 1 Responsive Menu | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site. | |||||
| CVE-2021-24161 | 1 Expresstech | 1 Responsive Menu | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site. | |||||
| CVE-2021-24159 | 1 Rocklobster | 1 Contact Form 7 | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPress plugin through 3.1.9. If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript. | |||||
| CVE-2021-24133 | 1 Activecampaign | 1 Activecampaign | 2024-11-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Lack of CSRF checks in the ActiveCampaign WordPress plugin, versions before 8.0.2, on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker's account. | |||||
| CVE-2021-23849 | 1 Bosch | 14 Aviotec, Aviotec Firmware, Cpp13 and 11 more | 2024-11-21 | 6.8 MEDIUM | 7.5 HIGH |
| A vulnerability in the web-based interface allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or opening a malicious website while being logged in into the camera. | |||||
| CVE-2021-23431 | 1 Joplinapp | 1 Joplin | 2024-11-21 | 6.8 MEDIUM | 5.4 MEDIUM |
| The package joplin before 2.3.2 are vulnerable to Cross-site Request Forgery (CSRF) due to missing CSRF checks in various forms. | |||||
| CVE-2021-23404 | 1 Sqlite-web Project | 1 Sqlite-web | 2024-11-21 | 6.8 MEDIUM | 7.6 HIGH |
| This affects all versions of package sqlite-web. The SQL dashboard area allows sensitive actions to be performed without validating that the request originated from the application. This could enable an attacker to trick a user into performing these actions unknowingly through a Cross Site Request Forgery (CSRF) attack. | |||||