|
195621
|
5.4 |
MEDIUM
Network
|
wptravelengine
|
wp_travel_engine
|
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as …
|
CWE-79
Cross-site Scripting
|
CVE-2021-24680
|
2024-11-21 14:53 |
2022-01-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195622
|
4.8 |
MEDIUM
Network
|
typebot
|
typebot
|
The Typebot | Build beautiful conversational forms WordPress plugin before 1.4.3 does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scri…
|
-
|
CVE-2021-24902
|
2024-11-21 14:53 |
2021-12-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195623
|
6.1 |
MEDIUM
Network
|
tickera
|
tickera
|
The Tickera WordPress plugin before 3.4.8.3 does not properly sanitise and escape the Name fields of booked Events before outputting them in the Orders admin dashboard, which could allow unauthentica…
|
-
|
CVE-2021-24797
|
2024-11-21 14:53 |
2021-12-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195624
|
7.2 |
HIGH
Network
|
starfish
|
rich_review
|
The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authentic…
|
CWE-89
SQL Injection
|
CVE-2021-24753
|
2024-11-21 14:53 |
2021-12-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195625
|
6.1 |
MEDIUM
Network
|
wpeverest
|
everest_forms
|
The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Script…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24907
|
2024-11-21 14:53 |
2021-12-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195626
|
9.8 |
CRITICAL
Network
|
wclovers
|
frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible
|
The wcfm_ajax_controller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before…
|
-
|
CVE-2021-24849
|
2024-11-21 14:53 |
2021-12-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195627
|
8.8 |
HIGH
Network
|
ni_woocommerce_custom_order_status_project
|
ni_woocommerce_custom_order_status
|
The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly saniti…
|
-
|
CVE-2021-24846
|
2024-11-21 14:53 |
2021-12-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195628
|
8.8 |
HIGH
Network
|
wp_visitor_statistics_\(real_time_traffic\)_project
|
wp_visitor_statistics_\(real_time_traffic\)
|
The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which co…
|
CWE-89
SQL Injection
|
CVE-2021-24750
|
2024-11-21 14:53 |
2021-12-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195629
|
8.1 |
HIGH
Network
|
shapedplugin
|
logo_carousel
|
The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature
|
-
|
CVE-2021-24739
|
2024-11-21 14:53 |
2021-12-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
195630
|
5.4 |
MEDIUM
Network
|
shapedplugin
|
logo_carousel
|
The Logo Carousel WordPress plugin before 3.4.2 does not validate and escape the "Logo Margin" carousel option, which could allow users with a role as low as Contributor to perform Stored Cross-Site …
|
-
|
CVE-2021-24738
|
2024-11-21 14:53 |
2021-12-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
