CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
701 CVE-2021-24833 79 Exec Code XSS 2021-11-17 2021-11-18
3.5
None Remote Medium ??? None Partial None
The YOP Poll WordPress plugin before 6.3.1 is affected by a stored Cross-Site Scripting vulnerability, which exists in the Admin preview module where a user with a role as low as author is allowed to execute arbitrary script code within the context of the application. This vulnerability is due to insufficient validation of question and answer text parameters in Create Poll module.
702 CVE-2021-24830 79 XSS 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
The Advanced Access Manager WordPress plugin before 6.8.0 does not escape some of its settings when outputting them, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
703 CVE-2021-24822 79 XSS CSRF 2021-11-29 2021-11-29
3.5
None Remote Medium ??? None Partial None
The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters
704 CVE-2021-24815 79 XSS 2021-11-17 2021-11-18
3.5
None Remote Medium ??? None Partial None
The Accept Donations with PayPal WordPress plugin before 1.3.2 does not escape the Amount Menu Name field of created Buttons, which could allow a high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
705 CVE-2021-24813 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
706 CVE-2021-24812 79 XSS 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
The BetterLinks WordPress plugin before 1.2.6 does not sanitise and escape some of imported link fields, which could lead to Stored Cross-Site Scripting issues when an admin import a malicious CSV.
707 CVE-2021-24811 79 XSS 2021-11-29 2021-11-29
3.5
None Remote Medium ??? None Partial None
The Shop Page WP WordPress plugin before 1.2.8 does not sanitise and escape some of the Product fields, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
708 CVE-2021-24807 79 XSS 2021-11-08 2021-11-09
3.5
None Remote Medium ??? None Partial None
The Support Board WordPress plugin before 3.3.5 allows Authenticated (Agent+) users to perform Cross-Site Scripting attacks by placing a payload in the notes field, when an administrator or any authenticated user go to the chat the XSS will be automatically executed.
709 CVE-2021-24794 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The Connections Business Directory WordPress plugin before 10.4.3 does not escape the Address settings when creating an Entry, which could allow high privilege users to perform Cross-Site Scripting when the unfiltered_html capability is disallowed.
710 CVE-2021-24793 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
711 CVE-2021-24789 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The Flat Preloader WordPress plugin before 1.5.5 does not escape some of its settings when outputting them in attribute in the frontend, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
712 CVE-2021-24787 79 XSS 2021-11-17 2021-11-18
3.5
None Remote Medium ??? None Partial None
The Client Invoicing by Sprout Invoices WordPress plugin before 19.9.7 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
713 CVE-2021-24785 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Great Quotes WordPress plugin through 1.0.0 does not sanitise and escape the Quote and Author fields of its Quotes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
714 CVE-2021-24773 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The WordPress Download Manager WordPress plugin before 3.2.16 does not escape some of the Download settings when outputting them, allowing high privilege users to perform XSS attacks even when the unfiltered_html capability is disallowed
715 CVE-2021-24768 79 XSS 2021-11-29 2021-11-29
3.5
None Remote Medium ??? None Partial None
The WP RSS Aggregator WordPress plugin before 4.19.2 does not properly sanitise and escape the URL to Blacklist field, allowing malicious HTML to be inserted by high privilege users even when the unfiltered_html capability is disallowed, which could lead to Cross-Site Scripting issues.
716 CVE-2021-24760 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Gutenberg PDF Viewer Block WordPress plugin before 1.0.1 does not sanitise and escape its block, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
717 CVE-2021-24759 79 XSS 2021-12-06 2021-12-06
3.5
None Remote Medium ??? None Partial None
The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks
718 CVE-2021-24752 352 CSRF 2021-10-18 2021-10-22
3.5
None Remote Medium ??? None Partial None
Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before 1.7, Catch Scroll Progress Bar WordPress plugin before 1.6, Social Gallery and Widget WordPress plugin before 2.3, Catch Infinite Scroll WordPress plugin before 1.9, Catch Import Export WordPress plugin before 1.9, Catch Gallery WordPress plugin before 1.7, Catch Duplicate Switcher WordPress plugin before 1.6, Catch Breadcrumb WordPress plugin before 1.7, Catch IDs WordPress plugin before 2.4's configurations.
719 CVE-2021-24751 79 XSS 2021-11-29 2021-11-29
3.5
None Remote Medium ??? None Partial None
The GenerateBlocks WordPress plugin before 1.4.0 does not validate the generateblocks/container block's tagName attribute, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
720 CVE-2021-24745 79 XSS 2021-11-29 2021-11-29
3.5
None Remote Medium ??? None Partial None
The About Author Box WordPress plugin before 1.0.2 does not sanitise and escape the Social Profiles field values before outputting them in attributes, which could allow user with a role as low as contributor to perform Cross-Site Scripting attacks.
721 CVE-2021-24744 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The WordPress Contact Forms by Cimatti WordPress plugin before 1.4.12 does not sanitise and escape the Form Title before outputting it in some admin pages. which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.
722 CVE-2021-24743 79 XSS 2021-10-18 2021-10-22
3.5
None Remote Medium ??? None Partial None
The Podcast Subscribe Buttons WordPress plugin before 1.4.2 allows users with any role capable of editing or adding posts to perform stored XSS.
723 CVE-2021-24740 79 XSS 2021-10-18 2021-10-22
3.5
None Remote Medium ??? None Partial None
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
724 CVE-2021-24737 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Comments – wpDiscuz WordPress plugin through 7.3.0 does not properly sanitise or escape the Follow and Unfollow messages before outputting them in the page, which could allow high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
725 CVE-2021-24736 79 XSS 2021-10-18 2021-10-22
3.5
None Remote Medium ??? None Partial None
The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.
726 CVE-2021-24734 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
727 CVE-2021-24732 79 XSS 2021-10-18 2021-10-21
3.5
None Remote Medium ??? None Partial None
The PDF Flipbook, 3D Flipbook WordPress – DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks
728 CVE-2021-24729 79 XSS 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
The Logo Showcase with Slick Slider WordPress plugin before 1.2.4 does not sanitise the Grid Settings, which could allow users with a role as low as Author to perform stored Cross-Site Scripting attacks via post metadata of Grid logo showcase.
729 CVE-2021-24724 79 +Priv XSS 2021-09-13 2021-09-23
3.5
None Remote Medium ??? None Partial None
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s
730 CVE-2021-24723 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The WP Reactions Lite WordPress plugin before 1.3.6 does not properly sanitize inputs within wp-admin pages, allowing users with sufficient access to inject XSS payloads within /wp-admin/ pages.
731 CVE-2021-24722 79 XSS 2021-11-01 2021-11-30
3.5
None Remote Medium ??? None Partial None
The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
732 CVE-2021-24720 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The GeoDirectory Business Directory WordPress plugin before 2.1.1.3 was vulnerable to Authenticated Stored Cross-Site Scripting (XSS).
733 CVE-2021-24718 79 XSS 2021-12-06 2021-12-06
3.5
None Remote Medium ??? None Partial None
The Contact Form, Survey & Popup Form Plugin for WordPress plugin before 1.5 does not properly sanitize some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
734 CVE-2021-24716 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The Modern Events Calendar Lite WordPress plugin before 5.22.3 does not properly sanitize or escape values set by users with access to adjust settings withing wp-admin.
735 CVE-2021-24715 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The WP Sitemap Page WordPress plugin before 1.7.0 does not properly sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
736 CVE-2021-24714 79 XSS 2021-12-06 2021-12-06
3.5
None Remote Medium ??? None Partial None
The Import any XML or CSV File to WordPress plugin before 3.6.3 does not escape the Import's Title and Unique Identifier fields before outputting them in admin pages, which could allow high privilege users to perform Cross-Site attacks even when the unfiltered_html capability is disallowed.
737 CVE-2021-24713 79 XSS 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks
738 CVE-2021-24712 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Appointment Hour Booking WordPress plugin before 1.3.17 does not properly sanitize values used when creating new calendars.
739 CVE-2021-24710 79 XSS 2021-11-08 2021-11-11
3.5
None Remote Medium ??? None Partial None
The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
740 CVE-2021-24709 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues
741 CVE-2021-24708 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Export any WordPress data to XML/CSV WordPress plugin before 1.3.1 does not escape its Export's Name before outputting it in Manage Exports settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
742 CVE-2021-24706 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Qwizcards – online quizzes and flashcards WordPress plugin before 3.62 does not properly sanitize and escape some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
743 CVE-2021-24703 732 CSRF 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed.
744 CVE-2021-24701 79 XSS 2021-11-08 2021-11-10
3.5
None Remote Medium ??? None Partial None
The Quiz Tool Lite WordPress plugin through 2.3.15 does not sanitize multiple input fields used when creating or managing quizzes and in other setting options, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
745 CVE-2021-24700 79 XSS 2021-11-23 2021-11-24
3.5
None Remote Medium ??? None Partial None
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
746 CVE-2021-24699 79 XSS 2021-10-25 2021-10-27
3.5
None Remote Medium ??? None Partial None
The Easy Media Download WordPress plugin before 1.1.7 does not escape the text argument of its shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
747 CVE-2021-24691 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
748 CVE-2021-24690 79 XSS 2021-10-11 2021-10-15
3.5
None Remote Medium ??? None Partial None
The Chained Quiz WordPress plugin before 1.2.7.2 does not properly sanitize or escape inputs in the plugin's settings.
749 CVE-2021-24687 79 XSS 2021-10-04 2021-10-08
3.5
None Remote Medium ??? None Partial None
The Modern Events Calendar Lite WordPress plugin before 5.22.2 does not escape some of its settings before outputting them in attributes, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
750 CVE-2021-24682 79 XSS 2021-11-01 2021-11-02
3.5
None Remote Medium ??? None Partial None
The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.