|
196921
|
4.3 |
MEDIUM
Network
|
designwall
|
dw_question_\&_answer
|
The DW Question & Answer Pro WordPress plugin through 1.3.4 does not check that the comment to edit belongs to the user making the request, allowing any user to edit other comments.
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2021-24800
|
2024-11-21 14:53 |
2022-04-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196922
|
6.1 |
MEDIUM
Network
|
heateor
|
sassy_social_share
|
The Social Sharing Plugin WordPress plugin before 3.3.40 does not escape the viewed post URL before outputting it back in onclick attributes when the "Enable 'More' icon" option is enabled (which is …
|
-
|
CVE-2021-24746
|
2024-11-21 14:53 |
2022-03-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196923
|
8.0 |
HIGH
Network
|
vsourz
|
advanced_cf7_db
|
The Advanced Contact form 7 DB WordPress plugin before 1.8.7 does not have authorisation nor CSRF checks in the acf7_db_edit_scr_file_delete AJAX action, and does not validate the file to be deleted,…
|
CWE-352
Origin Validation Error
|
CVE-2021-24905
|
2024-11-21 14:53 |
2022-03-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196924
|
5.4 |
MEDIUM
Network
|
viitorcloud
|
add_subtitle
|
The Add Subtitle WordPress plugin through 1.1.0 does not sanitise or escape the sub-title field (available only with classic editor) when output in the page, which could allow users with a role as lo…
|
-
|
CVE-2021-24897
|
2024-11-21 14:53 |
2022-03-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196925
|
4.8 |
MEDIUM
Network
|
webbigt
|
cybersoldier
|
The Cybersoldier WordPress plugin before 1.7.0 does not sanitise and escape the URL settings before outputting it in an attribute, which could allow high privilege users to perform Cross-Site Scripti…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24895
|
2024-11-21 14:53 |
2022-03-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196926
|
6.5 |
MEDIUM
Network
|
tipsandtricks-hq
|
simple_download_monitor
|
The Simple Download Monitor WordPress plugin before 3.9.5 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector.
|
-
|
CVE-2021-24692
|
2024-11-21 14:53 |
2022-03-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196927
|
5.4 |
MEDIUM
Network
|
custom_content_shortcode_project
|
custom_content_shortcode
|
The Custom Content Shortcode WordPress plugin before 4.0.2 does not escape custom fields before outputting them, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to perform Cros…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24826
|
2024-11-21 14:53 |
2022-03-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196928
|
4.3 |
MEDIUM
Network
|
custom_content_shortcode_project
|
custom_content_shortcode
|
The Custom Content Shortcode WordPress plugin before 4.0.2 does not validate the data passed to its load shortcode, which could allow Contributor+ (v < 4.0.1) or Admin+ (v < 4.0.2) users to display a…
|
-
|
CVE-2021-24825
|
2024-11-21 14:53 |
2022-03-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196929
|
4.3 |
MEDIUM
Network
|
custom_content_shortcode_project
|
custom_content_shortcode
|
The [field] shortcode included with the Custom Content Shortcode WordPress plugin before 4.0.1, allows authenticated users with a role as low as contributor, to access arbitrary post metadata. This c…
|
CWE-863
Incorrect Authorization
|
CVE-2021-24824
|
2024-11-21 14:53 |
2022-03-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196930
|
5.4 |
MEDIUM
Network
|
nicdark
|
cost_calculator
|
The Cost Calculator WordPress plugin before 1.6 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the Description fields of a Cost Calculator > Price S…
|
CWE-79
Cross-site Scripting
|
CVE-2021-24821
|
2024-11-21 14:53 |
2022-03-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
