|
196211
|
9.8 |
CRITICAL
Network
|
cars-seller-auto-classifieds-script_project
|
cars-seller-auto-classifieds-script
|
The request_list_request AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate o…
|
-
|
CVE-2021-24285
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196212
|
9.8 |
CRITICAL
Network
|
kaswara_project
|
kaswara
|
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/up…
|
-
|
CVE-2021-24284
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196213
|
5.4 |
MEDIUM
Network
|
pickplugins
|
accordion
|
The tab GET parameter of the settings page is not sanitised or escaped when being output back in an HTML attribute, leading to a reflected XSS issue.
|
-
|
CVE-2021-24283
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196214
|
6.3 |
MEDIUM
Network
|
querysol
|
redirection_for_contact_form_7
|
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the various AJAX actions in the plugin to do a variety of things. For exam…
|
-
|
CVE-2021-24282
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196215
|
4.3 |
MEDIUM
Network
|
querysol
|
redirection_for_contact_form_7
|
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the delete_action_post AJAX action to delete any post on a target site.
|
-
|
CVE-2021-24281
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196216
|
8.8 |
HIGH
Network
|
querysol
|
redirection_for_contact_form_7
|
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2021-24280
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196217
|
6.5 |
MEDIUM
Network
|
querysol
|
redirection_for_contact_form_7
|
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, low level users, such as subscribers, could use the import_from_debug AJAX action to install any plugin from the WordPress reposit…
|
-
|
CVE-2021-24279
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196218
|
7.5 |
HIGH
Network
|
querysol
|
redirection_for_contact_form_7
|
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, unauthenticated users can use the wpcf7r_get_nonce AJAX action to retrieve a valid nonce for any WordPress action/function.
|
-
|
CVE-2021-24278
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196219
|
5.4 |
MEDIUM
Network
|
wpuslugi
|
rss_for_yandex_turbo
|
The RSS for Yandex Turbo WordPress plugin before 1.30 did not properly sanitise the user inputs from its ???????? settings tab before outputting them back in the page, leading to authenticated stored…
|
-
|
CVE-2021-24277
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196220
|
8.8 |
HIGH
Network
|
wp-buy
|
login_as_user_or_customer_\(user_switching\)
|
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including …
|
NVD-CWE-Other
|
CVE-2021-24195
|
2024-11-21 14:52 |
2021-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
