Jump to content

WordPress:CVE

From Wiki

Plugins

  1. CVE-2021-24446 The Remove Footer Credit WordPress plugin before 1.0.6 does not have CSRF check in place when saving its settings, which could allow attacker to make logged in admins change them and lead to Stored XSS issue as well due to the lack ... https://cve.mitre.org/cgi-bin/cvenam
  2. CVE-2021-24874 The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.31 does not escape the lang and pid parameter before outputting them back in attributes, leading to Reflected Cross-Site Scripting i... https://cve.mitre.org/cgi-bin/cvenam
  3. CVE-2021-24904 The Mortgage Calculators WP WordPress plugin before 1.56 does not implement any sanitisation on the color setting of the background of a calculator, which could allow high privilege users to perform Stored Cross-Site Scripting attac... https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24904
  4. CVE-2021-25014 The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings wh... https://cve.mitre.org/cgi-bin/cvenam
  5. CVE-2021-25018 The PPOM for WooCommerce WordPress plugin before 24.0 does not have authorisation and CSRF checks in the ppom_settings_panel_action AJAX action, allowing any authenticated to call it and set arbitrary settings. Furthermore, due to t... https://cve.mitre.org/cgi-bin/cvenam
  6. CVE-2021-25033 The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue https://cve.mitre.org/cgi-bin/cvenam
  7. CVE-2021-25050 The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed. https://cve.mitre.org/cgi-bin/cvenam
  8. CVE-2021-25107 The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin https://cve.mitre.org/cgi-bin/cvenam
  9. CVE-2021-25109 The Futurio Extra WordPress plugin before 1.6.3 is affected by a SQL Injection vulnerability that could be used by high privilege users to extract data from the database as well as used to perform Cross-Site Scripting (XSS) against ... https://cve.mitre.org/cgi-bin/cvenam
  10. CVE-2021-25110 The Futurio Extra WordPress plugin before 1.6.3 allowed any logged in user, even a subscriber, may extract any other user's email address. https://cve.mitre.org/cgi-bin/cvenam
  11. CVE-2021-25115 The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be e... https://cve.mitre.org/cgi-bin/cvenam
  12. CVE-2022-0176 The PowerPack Lite for Beaver Builder WordPress plugin before 1.2.9.3 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting https://cve.mitre.org/cgi-bin/cvenam
  13. CVE-2022-0188 The CMP WordPress plugin before 4.0.19 allows any user, even not logged in, may arbitrarily change coming soon page layout. https://cve.mitre.org/cgi-bin/cvenam
  14. CVE-2022-0190 The Ad Invalid Click Protector (AICP) WordPress plugin before 1.2.6 is affected by a SQL Injection in the id parameter of the delete action. https://cve.mitre.org/cgi-bin/cvenam
  15. CVE-2022-0193 The Complianz WordPress plugin before 6.0.0 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting https://cve.mitre.org/cgi-bin/cvenam
  16. CVE-2022-0200 Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticat... https://cve.mitre.org/cgi-bin/cvenam
  17. CVE-2022-0201 The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cros... https://cve.mitre.org/cgi-bin/cvenam
  18. CVE-2022-0206 The NewStatPress WordPress plugin before 1.3.6 does not properly escape the whatX parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues https://cve.mitre.org/cgi-bin/cvenam
  19. CVE-2022-0208 The MapPress Maps for WordPress plugin before 2.73.4 does not sanitise and escape the mapid parameter before outputting it back in the "Bad mapid" error message, leading to a Reflected Cross-Site Scripting https://cve.mitre.org/cgi-bin/cvenam
  20. CVE-2022-0212 The SpiderCalendar WordPress plugin through 1.5.65 does not sanitise and escape the callback parameter before outputting it back in the page via the window AJAX action (available to both unauthenticated and authenticated users), lead... https://cve.mitre.org/cgi-bin/cvenam
  21. CVE-2022-0214 The Popup | Custom Popup Builder WordPress plugin before 1.3.1 autoload data from its popup on every pages, as such data can be sent by unauthenticated user, and is not validated in length, this could cause a denial of service on the... https://cve.mitre.org/cgi-bin/cvenam
Retrieved from "https://kangtain.com/wiki/index.php?title=WordPress:CVE&oldid=4101"