Total
3177 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-25075 | 1 Wpdevart | 1 Duplicate Page Or Post | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues | |||||
| CVE-2021-25042 | 1 Plugins-market | 1 Wp Visitor Statistics \(real Time Traffic\) | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 5.5 does not have authorisation and CSRF checks in the updateIpAddress AJAX action, allowing any authenticated user to call it, or make a logged in user do it via a CSRF attack and add an arbitrary IP address to exclude. Furthermore, due to the lack of validation, sanitisation and escaping, users could set a malicious value and perform Cross-Site Scripting attacks against logged in admin | |||||
| CVE-2021-25032 | 1 Publishpress | 1 Capabilities | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong to the plugin. As a result, unauthenticated attackers could update arbitrary blog options, such as the default role and make any new registered user with an administrator role. | |||||
| CVE-2021-25025 | 1 Theeventscalendar | 1 Eventcalendar | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events | |||||
| CVE-2021-25018 | 1 Najeebmedia | 1 Ppom For Woocommerce | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored XSS issues | |||||
| CVE-2021-25014 | 1 Vowelweb | 1 Ibtana | 2024-11-21 | 3.5 LOW | 3.5 LOW |
| The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting issue. | |||||
| CVE-2021-25002 | 1 Tipsacarrier Project | 1 Tipsacarrier | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL | |||||
| CVE-2021-24997 | 1 Wp-guppy | 1 Wp Guppy | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user | |||||
| CVE-2021-24988 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter. | |||||
| CVE-2021-24978 | 1 B4after | 1 Osmapper | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog | |||||
| CVE-2021-24977 | 1 Use Any Font Project | 1 Use Any Font | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
| The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues | |||||
| CVE-2021-24950 | 1 Thememove | 1 Insight Core | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks | |||||
| CVE-2021-24906 | 1 Wp-experts | 1 Protect Wp Admin | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request | |||||
| CVE-2021-24890 | 1 Dplugins | 1 Scripts Organizer | 2024-11-21 | N/A | 8.8 HIGH |
| The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file | |||||
| CVE-2021-24851 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue. | |||||
| CVE-2021-24839 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well. | |||||
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | |||||
| CVE-2021-24790 | 1 Contact Form Advanced Database Project | 1 Contact Form Advanced Database | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated. | |||||
| CVE-2021-24779 | 1 Wp Debugging Project | 1 Wp Debugging | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users. | |||||
| CVE-2021-24730 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | |||||