Export limit exceeded: 350314 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 80499 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (80499 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-24662 | 1 Game-server-status Project | 1 Game-server-status | 2024-11-21 | 7.2 High |
| The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page | ||||
| CVE-2021-24655 | 1 Wpusermanager | 1 Wp User Manager | 2024-11-21 | 7.5 High |
| The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account. | ||||
| CVE-2021-24651 | 1 Ays-pro | 1 Poll Maker | 2024-11-21 | 7.5 High |
| The Poll Maker WordPress plugin before 3.4.2 allows unauthenticated users to perform SQL injection via the ays_finish_poll AJAX action. While the result is not disclosed in the response, it is possible to use a timing attack to exfiltrate data such as password hash. | ||||
| CVE-2021-24647 | 1 Genetechsolutions | 1 Pie Register | 2024-11-21 | 8.1 High |
| The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username | ||||
| CVE-2021-24644 | 1 Imagestowebp Project | 1 Images To Webp | 2024-11-21 | 7.5 High |
| The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue | ||||
| CVE-2021-24641 | 1 Imagestowebp Project | 1 Images To Webp | 2024-11-21 | 8.1 High |
| The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion | ||||
| CVE-2021-24639 | 1 Ffw | 1 Omgf | 2024-11-21 | 8.1 High |
| The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. | ||||
| CVE-2021-24636 | 1 Print My Blog Project | 1 Print My Blog | 2024-11-21 | 8.1 High |
| The Print My Blog WordPress Plugin before 3.4.2 does not enforce nonce (CSRF) checks, which allows attackers to make logged in administrators deactivate the Print My Blog plugin and delete all saved data for that plugin by tricking them to open a malicious link | ||||
| CVE-2021-24631 | 1 Unlimited Popups Project | 1 Unlimited Popups | 2024-11-21 | 8.8 High |
| The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection | ||||
| CVE-2021-24630 | 1 Schreikasten Project | 1 Schreikasten | 2024-11-21 | 8.8 High |
| The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author | ||||
| CVE-2021-24629 | 1 Post Content Xmlrpc Project | 1 Post Content Xmlrpc | 2024-11-21 | 7.2 High |
| The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections | ||||
| CVE-2021-24628 | 1 Wow-company | 1 Wow Forms | 2024-11-21 | 7.2 High |
| The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection | ||||
| CVE-2021-24627 | 1 G Auto-hyperlink Project | 1 G Auto-hyperlink | 2024-11-21 | 7.2 High |
| The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection | ||||
| CVE-2021-24626 | 1 Chameleon Css Project | 1 Chameleon Css | 2024-11-21 | 8.8 High |
| The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection | ||||
| CVE-2021-24625 | 1 Web-dorado | 1 Spidercatalog | 2024-11-21 | 7.2 High |
| The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category | ||||
| CVE-2021-24620 | 1 Simple-e-commerce-shopping-cart Project | 1 Simple-e-commerce-shopping-cart | 2024-11-21 | 8.8 High |
| The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE | ||||
| CVE-2021-24606 | 1 Offshorewebmaster | 1 Availability Calendar | 2024-11-21 | 8.8 High |
| The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+ | ||||
| CVE-2021-24602 | 1 Hmplugin | 1 Hm Multiple Roles | 2024-11-21 | 8.8 High |
| The HM Multiple Roles WordPress plugin before 1.3 does not have any access control to prevent low privilege users to set themselves as admin via their profile page | ||||
| CVE-2021-24581 | 1 Blue-admin Project | 1 Blue-admin | 2024-11-21 | 8.8 High |
| The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack. | ||||
| CVE-2021-24580 | 1 Wow-estore | 1 Side Menu | 2024-11-21 | 8.8 High |
| The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue | ||||