|
194751
|
9.8 |
CRITICAL
Network
|
nocean
|
totop_link
|
The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suit…
|
-
|
CVE-2021-24857
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194752
|
5.4 |
MEDIUM
Network
|
display_post_metadata_project
|
display_post_metadata
|
The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Co…
|
-
|
CVE-2021-24855
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194753
|
8.8 |
HIGH
Network
|
frenify
|
mediamatic
|
The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin before 2.8.1, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL …
|
CWE-89
SQL Injection
|
CVE-2021-24848
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194754
|
6.5 |
MEDIUM
Network
|
improved_include_page_project
|
improved_include_page
|
The Improved Include Page WordPress plugin through 1.2 allows passing shortcode attributes with post_type & post_status which can be used to retrieve arbitrary content. This way, users with a role as…
|
NVD-CWE-Other
|
CVE-2021-24845
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194755
|
4.3 |
MEDIUM
Network
|
storeapps
|
temporary_login_without_password
|
The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers …
|
CWE-352
CWE-862
Origin Validation Error
Missing Authorization
|
CVE-2021-24836
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194756
|
4.3 |
MEDIUM
Network
|
page\/post_content_shortcode_project
|
page\/post_content_shortcode
|
The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/t…
|
CWE-863
Incorrect Authorization
|
CVE-2021-24819
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194757
|
4.3 |
MEDIUM
Network
|
wp_limits_project
|
wp_limits
|
The WP Limits WordPress plugin through 1.0 does not have CSRF check when saving its settings, allowing attacker to make a logged in admin change them, which could make the blog unstable by setting lo…
|
-
|
CVE-2021-24818
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194758
|
5.4 |
MEDIUM
Network
|
ultimate_nofollow_project
|
ultimate_nofollow
|
The Ultimate NoFollow WordPress plugin through 1.4.8 does not sanitise and escape the href attribute of its shortcodes, allowing users with a role as low as contributor to perform Cross-Site Scriptin…
|
-
|
CVE-2021-24817
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194759
|
6.5 |
MEDIUM
Network
|
phoeniixx
|
filter_portfolio_gallery
|
The Filter Portfolio Gallery WordPress plugin through 1.5 is lacking Cross-Site Request Forgery (CSRF) check when deleting a Gallery, which could allow attackers to make a logged in admin delete arbi…
|
-
|
CVE-2021-24795
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
194760
|
6.1 |
MEDIUM
Network
|
wpeden
|
shiny_buttons
|
The Shiny Buttons WordPress plugin through 1.1.0 does not have any authorisation and CSRF in place when saving a template (wpbtn_save_template function hooked to the init action), nor sanitise and es…
|
-
|
CVE-2021-24792
|
2024-11-21 14:53 |
2021-12-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
