|
194671
|
5.4 |
MEDIUM
Network
|
transposh
|
transposh_wordpress_translation
|
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the tk0 parameter from the tp_translation AJAX action, leading to Stored Cross-Site Scripting, which wil…
|
-
|
CVE-2021-24911
|
2024-11-21 14:53 |
2022-08-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194672
|
6.1 |
MEDIUM
Network
|
transposh
|
transposh_wordpress_translation
|
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not sanitise and escape the a parameter via an AJAX action (available to both unauthenticated and authenticated users when the c…
|
-
|
CVE-2021-24910
|
2024-11-21 14:53 |
2022-08-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194673
|
7.5 |
HIGH
Network
|
wpusermanager
|
wp_user_manager
|
The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the passwo…
|
-
|
CVE-2021-24655
|
2024-11-21 14:53 |
2022-07-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194674
|
4.3 |
MEDIUM
Network
|
designwall
|
dw_question_\&_answer
|
The DW Question & Answer Pro WordPress plugin through 1.3.4 does not properly check for CSRF in some of its functions, allowing attackers to make logged in users perform unwanted actions, such as upd…
|
-
|
CVE-2021-24805
|
2024-11-21 14:53 |
2022-04-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194675
|
4.3 |
MEDIUM
Network
|
designwall
|
dw_question_\&_answer
|
The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments.
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2021-24800
|
2024-11-21 14:53 |
2022-04-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194676
|
6.1 |
MEDIUM
Network
|
heateor
|
sassy_social_share
|
The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is …
|
-
|
CVE-2021-24746
|
2024-11-21 14:53 |
2022-03-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194677
|
8.0 |
HIGH
Network
|
vsourz
|
advanced_cf7_db
|
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted,…
|
CWE-352
Origin Validation Error
|
CVE-2021-24905
|
2024-11-21 14:53 |
2022-03-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194678
|
5.4 |
MEDIUM
Network
|
viitorcloud
|
add_subtitle
|
The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as lo…
|
-
|
CVE-2021-24897
|
2024-11-21 14:53 |
2022-03-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194679
|
4.8 |
MEDIUM
Network
|
webbigt
|
cybersoldier
|
The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripti…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24895
|
2024-11-21 14:53 |
2022-03-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194680
|
6.5 |
MEDIUM
Network
|
tipsandtricks-hq
|
simple_download_monitor
|
The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.
|
-
|
CVE-2021-24692
|
2024-11-21 14:53 |
2022-03-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
