Total
5123 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-25002 | 1 Tipsacarrier Project | 1 Tipsacarrier | 2024-11-21 | 7.5 High |
| The Tipsacarrier WordPress plugin before 1.5.0.5 does not have any authorisation check in place some functions, which could allow unauthenticated users to access Orders data which could be used to retrieve the client full address, name and phone via tracking URL | ||||
| CVE-2021-24997 | 1 Wp-guppy | 1 Wp Guppy | 2024-11-21 | 6.5 Medium |
| The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user | ||||
| CVE-2021-24993 | 1 Etoilewebdesign | 1 Ultimate Product Catalog | 2024-11-21 | 6.5 Medium |
| The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example | ||||
| CVE-2021-24988 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2024-11-21 | 5.4 Medium |
| The WP RSS Aggregator WordPress plugin before 4.19.3 does not sanitise and escape data before outputting it in the System Info admin dashboard, which could lead to a Stored XSS issue due to the wprss_dismiss_addon_notice AJAX action missing authorisation and CSRF checks, allowing any authenticated users, such as subscriber to call it and set a malicious payload in the addon parameter. | ||||
| CVE-2021-24978 | 1 B4after | 1 Osmapper | 2024-11-21 | 5.3 Medium |
| The OSMapper WordPress plugin through 2.1.5 contains an AJAX action to delete a plugin related post type named 'map' and is registered with the wp_ajax_nopriv prefix, making it available to unauthenticated users. There is no authorisation, CSRF and checks in place to ensure that the post to delete is a map one. As a result, unauthenticated user can delete arbitrary posts from the blog | ||||
| CVE-2021-24977 | 1 Use Any Font Project | 1 Use Any Font | 2024-11-21 | 6.1 Medium |
| The Use Any Font | Custom Font Uploader WordPress plugin before 6.2.1 does not have any authorisation checks when assigning a font, allowing unauthenticated users to sent arbitrary CSS which will then be processed by the frontend for all users. Due to the lack of sanitisation and escaping in the backend, it could also lead to Stored XSS issues | ||||
| CVE-2021-24968 | 1 Etoilewebdesign | 1 Ultimate Faq | 2024-11-21 | 5.7 Medium |
| The Ultimate FAQ WordPress plugin before 2.1.2 does not have capability and CSRF checks in the ewd_ufaq_welcome_add_faq and ewd_ufaq_welcome_add_faq_page AJAX actions, available to any authenticated users. As a result, any users, with a role as low as Subscriber could create FAQ and FAQ questions | ||||
| CVE-2021-24950 | 1 Thememove | 1 Insight Core | 2024-11-21 | 5.4 Medium |
| The Insight Core WordPress plugin through 1.0 does not have any authorisation and CSRF checks in the insight_customizer_options_import (available to any authenticated user), does not validate user input before passing it to unserialize(), nor sanitise and escape it before outputting it in the response. As a result, it could allow users with a role as low as Subscriber to perform PHP Object Injection, as well as Stored Cross-Site Scripting attacks | ||||
| CVE-2021-24914 | 1 Tawk | 1 Tawk.to Live Chat | 2024-11-21 | 8.0 High |
| The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second one will remove the live chat widget from pages. | ||||
| CVE-2021-24906 | 1 Wp-experts | 1 Protect Wp Admin | 2024-11-21 | 7.5 High |
| The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request | ||||
| CVE-2021-24851 | 1 Insert Pages Project | 1 Insert Pages | 2024-11-21 | 4.3 Medium |
| The Insert Pages WordPress plugin before 3.7.0 allows users with a role as low as Contributor to access content and metadata from arbitrary posts/pages regardless of their author and status (ie private), using a shortcode. Password protected posts/pages are not affected by such issue. | ||||
| CVE-2021-24842 | 1 Bulk Datetime Change Project | 1 Bulk Datetime Change | 2024-11-21 | 5.4 Medium |
| The Bulk Datetime Change WordPress plugin before 1.12 does not enforce capability checks which allows users with Contributor roles to 1) list private post titles of other users and 2) change the posted date of other users' posts. | ||||
| CVE-2021-24839 | 1 Supportcandy | 1 Supportcandy | 2024-11-21 | 7.5 High |
| The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well. | ||||
| CVE-2021-24836 | 1 Storeapps | 1 Temporary Login Without Password | 2024-11-21 | 4.3 Medium |
| The Temporary Login Without Password WordPress plugin before 1.7.1 does not have authorisation and CSRF checks when updating its settings, which could allows any logged-in users, such as subscribers to update them | ||||
| CVE-2021-24831 | 1 Rich-web | 1 Tab | 2024-11-21 | 7.5 High |
| All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs. | ||||
| CVE-2021-24790 | 1 Contact Form Advanced Database Project | 1 Contact Form Advanced Database | 2024-11-21 | 4.3 Medium |
| The Contact Form Advanced Database WordPress plugin through 1.0.8 does not have any authorisation as well as CSRF checks in its delete_cf7_data and export_cf7_data AJAX actions, available to any authenticated users, which could allow users with a role as low as subscriber to call them. The delete_cf7_data would lead to arbitrary metadata deletion, as well as PHP Object Injection if a suitable gadget chain is present in another plugin, as user data is passed to the maybe_unserialize() function without being first validated. | ||||
| CVE-2021-24779 | 1 Wp Debugging Project | 1 Wp Debugging | 2024-11-21 | 6.5 Medium |
| The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users. | ||||
| CVE-2021-24730 | 1 Infornweb | 1 Logo Showcase With Slick Slider | 2024-11-21 | 4.3 Medium |
| The Logo Showcase with Slick Slider WordPress plugin before 1.2.5 does not have CSRF and authorisation checks in the lswss_save_attachment_data AJAX action, allowing any authenticated users, such as Subscriber, to change title, description, alt text, and URL of arbitrary uploaded media. | ||||
| CVE-2021-24677 | 1 Find My Blocks Project | 1 Find My Blocks | 2024-11-21 | 5.3 Medium |
| The Find My Blocks WordPress plugin before 3.4.0 does not have authorisation checks in its REST API, which could allow unauthenticated users to enumerate private posts' titles. | ||||
| CVE-2021-24639 | 1 Ffw | 1 Omgf | 2024-11-21 | 8.1 High |
| The OMGF WordPress plugin before 4.5.4 does not enforce path validation, authorisation and CSRF checks in the omgf_ajax_empty_dir AJAX action, which allows any authenticated users to delete arbitrary files or folders on the server. | ||||