Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2020-4997 IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality ... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24150 The LikeBtn WordPress Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.32 was vulnerable to Unauthenticated Full-Read Server-Side Request Forgery (SSRF). | 7.5 | HIGH | — | 0 |
| CVE-2021-24152 The "All Subscribers" setting page of Popup Builder was vulnerable to reflected Cross-Site Scripting. | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24153 A Stored Cross-Site Scripting vulnerability was discovered in the Yoast SEO WordPress plugin before 3.4.1, which had built-in blacklist filters which were blacklisting Parenthesis as well as several f... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24154 The Theme Editor WordPress plugin before 2.6 did not validate the GET file parameter before passing it to the download_file() function, allowing administrators to download arbitrary files on the web s... | 4.9 | MEDIUM | — | 0 |
| CVE-2021-24155 The WordPress Backup and Migrate Plugin – Backup Guard WordPress plugin before 1.6.0 did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+)... | 7.2 | HIGH | — | 0 |
| CVE-2021-24156 Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0.3 allow low privileged users (Contributor) to inject arbitrary JavaScript code or HTML without approval. This could lead to privi... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24157 Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24158 Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which ... | 6.5 | MEDIUM | — | 0 |
| CVE-2021-24159 Due to the lack of sanitization and lack of nonce protection on the custom CSS feature, an attacker could craft a request to inject malicious JavaScript on a site using the Contact Form 7 Style WordPr... | 8.8 | HIGH | — | 0 |
| CVE-2020-11252 Trustzone initialization code will disable xPU`s when memory dumps are enabled and lead to information disclosure in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer I... | 7.2 | HIGH | — | 0 |
| CVE-2021-24160 In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, subscribers could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/ directory. These fi... | 8.8 | HIGH | — | 0 |
| CVE-2021-24161 In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacke... | 8.8 | HIGH | — | 0 |
| CVE-2021-24162 In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to inc... | 8.8 | HIGH | — | 0 |
| CVE-2021-24163 The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such ... | 8.8 | HIGH | — | 0 |
| CVE-2021-24164 In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to est... | 4.3 | MEDIUM | — | 0 |
| CVE-2021-24165 In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp_ajax_nf_oauth_connect AJAX action was vulnerable to open redirect due to the use of a user supplied redirect parameter and no pro... | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24166 The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 had no nonce protection making it possible for attackers... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24167 When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_load_init" function used the visitor’s browser to send an XMLHttpRequest request to https://wts2.one/ajax.htm?action=lookup_WP_account. | 7.5 | HIGH | — | 0 |
| CVE-2021-24168 The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not properly sanitise the text fields (such as Email Subject, Email Recipient, etc) when creating or editing a form, leading to an authent... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24169 This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24170 The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability. T... | 7.5 | HIGH | — | 0 |
| CVE-2021-24171 The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php. It was possible to bypass this and upload a file with a PHP extensio... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-24172 The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the DB, plugins, and current . | 4.3 | MEDIUM | — | 0 |
| CVE-2021-24173 The VM Backups WordPress plugin through 1.0 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as update the plugin's options, leading to a Stored Cross-Site... | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24174 The Database Backups WordPress plugin through 1.2.2.6 does not have CSRF checks, allowing attackers to make a logged in user unwanted actions, such as generate backups of the database, change the plug... | 8.1 | HIGH | — | 0 |
| CVE-2021-24175 The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any u... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-24176 The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the referer and path of 404 pages, when they are output in the dashboard, which leads to executing arbitrary JavaScript code in the Word... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24180 Unvalidated input and lack of output encoding within the Related Posts for WordPress plugin before 2.0.4 lead to a Reflected Cross-Site Scripting (XSS) vulnerability within the 'lang' GET parameter wh... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24181 The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be... | 6.5 | MEDIUM | — | 0 |
| CVE-2021-24182 The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that coul... | 6.5 | MEDIUM | — | 0 |
| CVE-2021-24183 The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be e... | 6.5 | MEDIUM | — | 0 |
| CVE-2021-24184 Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileg... | 8.8 | HIGH | — | 0 |
| CVE-2021-24185 The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited... | 6.5 | MEDIUM | — | 0 |
| CVE-2020-11255 Denial of service while processing RTCP packets containing multiple SDES reports due to memory for last SDES packet is freed and rest of the memory is leaked in Snapdragon Auto, Snapdragon Compute, Sn... | 7.5 | HIGH | — | 0 |
| CVE-2021-24186 The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection tha... | 6.5 | MEDIUM | — | 0 |
| CVE-2021-24187 The setting page of the SEO Redirection Plugin - 301 Redirect Manager WordPress plugin before 6.4 is vulnerable to reflected Cross-Site Scripting (XSS) as user input is not properly sanitised before b... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24196 The Social Slider Widget WordPress plugin before 1.8.5 allowed Authenticated Reflected XSS in the plugin settings page as the ‘token_error’ parameter can be controlled by users and it is directly echo... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24201 In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of pos... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24202 In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of p... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-30150 Composr 10.0.36 allows XSS in an XML script. | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24203 In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of pos... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24204 In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed s... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24205 In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of ... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24206 In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set o... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24207 By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing p... | 4.3 | MEDIUM | — | 0 |
| CVE-2021-24208 The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML... | 5.4 | MEDIUM | — | 0 |
| CVE-2021-24209 The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Set... | 7.2 | HIGH | — | 0 |
| CVE-2021-24210 There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There... | 6.1 | MEDIUM | — | 0 |
| CVE-2021-24212 The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will e... | 9.8 | CRITICAL | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.