|
195581
|
8.8 |
HIGH
Network
|
core_tweaks_wp_setup_project
|
core_tweaks_wp_setup
|
The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in…
|
-
|
CVE-2021-24803
|
2024-11-21 14:53 |
2022-02-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195582
|
4.3 |
MEDIUM
Network
|
infornweb
|
logo_showcase_with_slick_slider
|
The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as …
|
-
|
CVE-2021-24730
|
2024-11-21 14:53 |
2022-02-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195583
|
8.8 |
HIGH
Network
|
orange-form_project
|
orange-form
|
In the Orange Form WordPress plugin through 1.0, the process_bulk_action() function in "admin/orange-form-email.php" performs an unprepared SQL query with an unsanitized parameter ($id). Only admin c…
|
-
|
CVE-2021-24704
|
2024-11-21 14:53 |
2022-02-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195584
|
4.9 |
MEDIUM
Network
|
wpeverest
|
contact_form
|
The Contact Forms - Drag & Drop Contact Form Builder WordPress plugin through 1.0.5 allows high privilege users to download arbitrary files from the web server via a path traversal attack
|
CWE-22
Path Traversal
|
CVE-2021-24689
|
2024-11-21 14:53 |
2022-02-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195585
|
4.3 |
MEDIUM
Network
|
orange-form_project
|
orange-form
|
The Orange Form WordPress plugin through 1.0.1 does not have any authorisation and CSRF checks in all of its AJAX calls, for example the or_delete_filed one which is available to both unauthenticated…
|
CWE-352
Origin Validation Error
|
CVE-2021-24688
|
2024-11-21 14:53 |
2022-02-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195586
|
9.8 |
CRITICAL
Network
|
accesspressthemes
|
accessbuddy
accesspress_basic
accesspress_lite
accesspress_mag
accesspress_parallax
accesspress_ray
accesspress_root
accesspress_staple
accesspress_store
agency_lite
apl…
|
Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are a…
|
-
|
CVE-2021-24867
|
2024-11-21 14:53 |
2022-02-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195587
|
4.8 |
MEDIUM
Network
|
lenderd
|
mortgage_calculators_wp
|
The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform …
|
-
|
CVE-2021-24904
|
2024-11-21 14:53 |
2022-02-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195588
|
6.1 |
MEDIUM
Network
|
brevo
|
newsletter\
_smtp\
_email_marketing_and_subscribe
|
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to…
|
-
|
CVE-2021-24874
|
2024-11-21 14:53 |
2022-02-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195589
|
5.4 |
MEDIUM
Network
|
wpchill
|
remove_footer_credit
|
The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored X…
|
-
|
CVE-2021-24446
|
2024-11-21 14:53 |
2022-02-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195590
|
5.4 |
MEDIUM
Network
|
supportcandy
|
supportcandy
|
The SupportCandy WordPress plugin before 2.2.7 does not validate and escape the page attribute of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Script…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24880
|
2024-11-21 14:53 |
2022-02-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
