|
196961
|
8.8 |
HIGH
Network
|
wickedplugins
|
wicked_folders
|
The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available …
|
CWE-89
SQL Injection
|
CVE-2021-24919
|
2024-11-21 14:54 |
2022-02-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196962
|
6.1 |
MEDIUM
Network
|
roundupwp
|
registrations_for_the_events_calendar
|
The Registrations for the Events Calendar WordPress plugin before 2.7.10 does not escape the qtype parameter before outputting it back in an attribute in the settings page, leading to a Reflected Cro…
|
-
|
CVE-2021-25083
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196963
|
6.1 |
MEDIUM
Network
|
crmperks
|
contact_form_entries
|
The Contact Form Entries WordPress plugin before 1.1.7 does not validate, sanitise and escape the IP address retrieved via headers such as CLIENT-IP and X-FORWARDED-FOR, allowing unauthenticated atta…
|
-
|
CVE-2021-25080
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196964
|
6.1 |
MEDIUM
Network
|
crmperks
|
contact_form_entries
|
The Contact Form Entries WordPress plugin before 1.2.4 does not sanitise and escape various parameters, such as form_id, status, end_date, order, orderby and search before outputting them back in the…
|
-
|
CVE-2021-25079
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196965
|
6.1 |
MEDIUM
Network
|
wpaffiliatemanager
|
affiliates_manager
|
The Affiliates Manager WordPress plugin before 2.9.0 does not validate, sanitise and escape the IP address of requests logged by the click tracking feature, allowing unauthenticated attackers to perf…
|
CWE-79
Cross-site Scripting
|
CVE-2021-25078
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196966
|
8.8 |
HIGH
Network
|
wedevs
|
wp_user_frontend
|
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due…
|
-
|
CVE-2021-25076
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196967
|
6.1 |
MEDIUM
Network
|
webp_converter_for_media_project
|
webp_converter_for_media
|
The WebP Converter for Media WordPress plugin before 4.0.3 contains a file (passthru.php) which does not validate the src parameter before redirecting the user to it, leading to an Open Redirect issue
|
-
|
CVE-2021-25074
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196968
|
8.8 |
HIGH
Network
|
webmaster-source
|
wp125
|
The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack
|
-
|
CVE-2021-25073
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196969
|
6.1 |
MEDIUM
Network
|
villatheme
|
orders_tracking_for_woocommerce
|
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting
|
-
|
CVE-2021-25062
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
196970
|
4.8 |
MEDIUM
Network
|
mobileeventsmanager
|
mobile_events_manager
|
The Mobile Events Manager WordPress plugin before 1.4.4 does not sanitise and escape various of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfil…
|
-
|
CVE-2021-25049
|
2024-11-21 14:54 |
2022-01-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
