|
196541
|
8.8 |
HIGH
Network
|
xwp
|
stream
|
The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection…
|
-
|
CVE-2021-24772
|
2024-11-21 14:53 |
2021-11-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196542
|
8.8 |
HIGH
Network
|
email_log_project
|
email_log
|
The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading…
|
CWE-89
SQL Injection
|
CVE-2021-24758
|
2024-11-21 14:53 |
2021-11-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196543
|
4.8 |
MEDIUM
Network
|
wpshopmart
|
testimonial_builder
|
The Testimonial WordPress plugin before 1.6.0 does not escape some testimonial fields which could allow high privilege users to perform Cross Site Scripting attacks even when the unfiltered_html capa…
|
-
|
CVE-2021-24598
|
2024-11-21 14:53 |
2021-11-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196544
|
7.2 |
HIGH
Network
|
wpaffiliatemanager
|
affiliates_manager
|
The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue
|
CWE-89
SQL Injection
|
CVE-2021-24844
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196545
|
5.3 |
MEDIUM
Network
|
codesupply
|
squaretype
|
The Squaretype WordPress theme before 3.0.4 allows unauthenticated users to manipulate the query_vars used to retrieve the posts to display in one of its REST endpoint, without any validation. As a r…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2021-24840
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196546
|
4.3 |
MEDIUM
Network
|
wp_seo_redirect_301_project
|
wp_seo_redirect_301
|
The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack
|
CWE-352
Origin Validation Error
|
CVE-2021-24832
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196547
|
8.8 |
HIGH
Network
|
wp-buy
|
visitor_traffic_real_time_statistics
|
The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) befor…
|
CWE-89
SQL Injection
|
CVE-2021-24829
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196548
|
9.8 |
CRITICAL
Network
|
asgaros
|
asgaros_forum
|
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection i…
|
CWE-89
SQL Injection
|
CVE-2021-24827
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196549
|
4.3 |
MEDIUM
Network
|
phoenix_media_rename_project
|
phoenix_media_rename
|
The Phoenix Media Rename WordPress plugin before 3.4.4 does not have capability checks in its phoenix_media_rename AJAX action, which could allow users with Author roles to rename any uploaded media …
|
NVD-CWE-noinfo
|
CVE-2021-24816
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196550
|
5.4 |
MEDIUM
Network
|
schiocco
|
support_board
|
The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authe…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24807
|
2024-11-21 14:53 |
2021-11-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
